I just found that the FreeIPA user 'admin' can log in with no issues on the
Windows system, with no changes from the config that I was attempting to use
with a newly created IPA user. So authentication from the workstation works
if the user has a known, non-expired password. It seems the kpasswd function
is not working. I will test more and post results. Here are logs from a
successful login for admin:

Sep 19 15:27:03 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for
krbtgt/pdh....@pdh.csp, Additional pre-authentication required
Sep 19 15:27:03 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: ISSUE: authtime 1316446023, etypes {rep=18
tkt=18 ses=18}, ad...@pdh.csp for krbtgt/pdh....@pdh.csp
Sep 19 15:27:03 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {18
17 23 3 1 24 -135}) 192.168.201.9: ISSUE: authtime 1316446023, etypes
{rep=18 tkt=18 ses=18}, ad...@pdh.csp for host/ews1.pdh....@pdh.csp

On Mon, Sep 19, 2011 at 11:13 AM, Simo Sorce <s...@redhat.com> wrote:

> On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote:
> > I think you're on to something here. I just reset the user's password
> > on IPA and get the "password expired" message but I get that
> > regardless of what I enter for the user's password. I'm confused as to
> > why I can make the user auth work with a normal KDC but I'm having so
> > much trouble with IPA-KDC. Going to wipe the Win7 config and start
> > fresh on that system.
>
> Not sure wht you are having trouble, the KDC component of IPA is a stock
> MIT KDC with LDAP backend.
> >
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to