On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote:
> According to this:
> http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html
>  there are a ton of encryption options that XP does support, but I always get 
> this error if I define anything specific in the keytab:

I know for a fact that stock WinXp supports only RC4 and DES, no 3DES
nor AAES support there.

If you create the host keytab with only RC4 you should be able to make
WinXp happy.

> Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) NEEDED_PREAUTH:
> o...@pdh.csp for krbtgt/pdh....@pdh.csp, Additional pre-authentication
> required
> Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
> {23}) ISSUE: authtime 1316462970, etypes {rep=23
> tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh....@pdh.csp
> Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) BAD_ENCRYPTION_TYPE:
> authtime 0, o...@pdh.csp for host/crm1.pdh....@pdh.csp, KDC has no
> support for encryption type

> There is a fix for Win7. I have a technet article I will post the link
> as soon as I can.

Yes please let me know the link, I will try to investigate any Win7/W2K8
issues with AES and random salts asap, but not this week probably.

> I had the Win7 system working with the freeipa 'admin' user before I
> changed the admin user password, now it's broken. The MIT KFW client
> can authenticate and get a ticket, but I need to get the native
> windows authentication working.


If AES is the issue, you could reconfigure FreeIPA to not allow AES, not
ideal, but it would be the fastest solution. Although it will probably
require also to change all passwords.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to