On 09/30/2013 10:59 PM, Mohan Cheema wrote: >> -----Original Message----- >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >> boun...@redhat.com] On Behalf Of Sumit Bose >> Sent: Monday, September 30, 2013 3:47 PM >> To: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication >> required >> >> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote: >>> Hi, >>> >>> >>> >>> We are trying to authenticate from Windows machine and getting below >> error. >>> >>> >>> -------------------- >>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 >> etypes {18 >>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: u...@domain.com for >>> krbtgt/domain....@domain.com, Additional pre-authentication required >> This is expected behaviour. The client will first send the AS-REQ >> without any pre-authentication data. If the server requires >> pre-authentication for this principal it will return this error to the >> client to indicate that pre-authentication is expected. >>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 >> etypes {18 >>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes >> {rep=18 >>> tkt=18 ses=18}, u...@domain.com for krbtgt/domain....@domain.com >> In the second AS-REQ the client has included some pre-authentication >> data which is accepted by the KDC and a ticket is issued to the client. >> >> HTH >> >> bye, >> Sumit >> >>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 >> etypes {18 >>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes >> {rep=18 >>> tkt=23 ses=23}, u...@domain.com for host/av.domain....@domain.com >>> -------------------- >>> >>> >>> >>> We followed the instruction to integrate windows for authentication. >>> >>> >>> >>> Windows Client: Windows server 2008 R2 >>> >>> >>> >>> We are not able to figure out what the problem is. >>> >>> >>> >>> We are not using DNS server, instead we are using host file entries. >> DNS >>> server setup is not an option for us right now. >>> >>> >>> >>> Same user can authenticate from Linux machine. >>> >>> >>> >>> Regards, >>> >>> >>> >>> Mohan Cheema >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > Thanks for the info Sumit. > > However, if ticket is issued user should be able to login to system. Instead > on Windows we are getting "user name or password is incorrect". Are there > any other setting that needs to be done so that user can login to system.
This thread seems to have no follow up. Was the problem solved? AFAIR for Windows system to allow the authentication one really needs to map user to a local user. There were some instructions in the HOWTO section of the IPA wiki. Have you checked them? > > Regards, > > Mohan > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
