Ah stupid me,
When using Windows XP you must generate a keytab that does not use the
AES enctype. If you include the AES enctype when generating keys for the
host, you are telling the KDC that the host knows how to use AES.
You should probably just use arcfour only for WinXP as that client only
understand RC4 and DES, and DES is not worth using.
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
> I have a WinXP client configured to authenticate now but it looks like
> FreeIPA is sending the ticket encrypted with AES and XP does not
> support AES. The user is getting authenticated, just not able to
> decrypt the ticket.
>
>
>
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
> o...@pdh.csp for krbtgt/pdh....@pdh.csp, Additional pre-authentication
> required
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
> {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
> tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh....@pdh.csp
> Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
> 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
> host/crm1.pdh....@pdh.csp
>
>
>
> On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce <s...@redhat.com> wrote:
> On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
> > Once I changed the password for 'admin' I now get this error
> on the
> > windows system:
> >
> >
> >
> > Insufficient system resources exist to complete the
> requested service
> >
> >
> > and get this in the log no matter if I use the
> correct(changed)
> > password or if I use a known bad password:
> > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
> (7 etypes
> > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
> ad...@pdh.csp
> > for krbtgt/pdh....@pdh.csp, Additional pre-authentication
> required
> >
> >
> > I even deleted the user and all associated profile
> information on the
> > windows system and still it won't work any more.
> >
> >
>
> Ok somehow we generate a key the windows client doesn't like
> or know how
> to work with. While MIT's clients are just fine with.
> The way we generate keys is by setting a special random seed
> that is
> handed back to the client when the preauth error is generated,
> perhaps
> Windows is not liking what it sees ?
>
> Any chance you can try with an older client, I wonder if it is
> a
> regression in win7 ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
>
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
