I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not support
AES. The user is getting authenticated, just not able to decrypt the ticket.

Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh....@pdh.csp, Additional pre-authentication required
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23})
192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23},
o...@pdh.csp for krbtgt/pdh....@pdh.csp
Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes
{rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh....@pdh.csp


On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce <s...@redhat.com> wrote:

> On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
> > Once I changed the password for 'admin' I now get this error on the
> > windows system:
> >
> >
> >
> > Insufficient system resources exist to complete the requested service
> >
> >
> > and get this in the log no matter if I use the correct(changed)
> > password or if I use a known bad password:
> > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp
> > for krbtgt/pdh....@pdh.csp, Additional pre-authentication required
> >
> >
> > I even deleted the user and all associated profile information on the
> > windows system and still it won't work any more.
> >
> >
> Ok somehow we generate a key the windows client doesn't like or know how
> to work with. While MIT's clients are just fine with.
> The way we generate keys is by setting a special random seed that is
> handed back to the client when the preauth error is generated, perhaps
> Windows is not liking what it sees ?
>
> Any chance you can try with an older client, I wonder if it is a
> regression in win7 ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to