On 10/03/2013 11:55 PM, Mohan Cheema wrote: >> -----Original Message----- >> From: Dmitri Pal [mailto:d...@redhat.com] >> Sent: Friday, October 04, 2013 4:38 AM >> To: Mohan Cheema >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication >> required >> >> On 10/03/2013 11:15 PM, Mohan Cheema wrote: >>> Hi Dmitri, >>> >>> Yes its solved now. It didn't work with single user mapping I had map >> all >>> users as per the HOWTO and it worked. Initially I was trying with >> just one >>> user mapped to ipa user which didn't worked. >> Anything would be worth adding to the HOWTO based on your experience? > > I think just mentioning that one need to map all the users instead of just > single user and create only those windows user locally who will be accessing > the machine.
Well, http://www.freeipa.org/page/Windows_authentication_against_FreeIPA states "...for each user..." > >>> Regards, >>> >>> Mohan >>> >>>> -----Original Message----- >>>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >>>> boun...@redhat.com] On Behalf Of Dmitri Pal >>>> Sent: Thursday, October 03, 2013 10:06 PM >>>> To: freeipa-users@redhat.com >>>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication >>>> required >>>> >>>> On 09/30/2013 10:59 PM, Mohan Cheema wrote: >>>>>> -----Original Message----- >>>>>> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- >>>>>> boun...@redhat.com] On Behalf Of Sumit Bose >>>>>> Sent: Monday, September 30, 2013 3:47 PM >>>>>> To: freeipa-users@redhat.com >>>>>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication >>>>>> required >>>>>> >>>>>> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote: >>>>>>> Hi, >>>>>>> >>>>>>> >>>>>>> >>>>>>> We are trying to authenticate from Windows machine and getting >>>> below >>>>>> error. >>>>>>> -------------------- >>>>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 >>>>>> etypes {18 >>>>>>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: u...@domain.com >> for >>>>>>> krbtgt/domain....@domain.com, Additional pre-authentication >>>> required >>>>>> This is expected behaviour. The client will first send the AS-REQ >>>>>> without any pre-authentication data. If the server requires >>>>>> pre-authentication for this principal it will return this error to >>>> the >>>>>> client to indicate that pre-authentication is expected. >>>>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 >>>>>> etypes {18 >>>>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, >> etypes >>>>>> {rep=18 >>>>>>> tkt=18 ses=18}, u...@domain.com for krbtgt/domain....@domain.com >>>>>> In the second AS-REQ the client has included some pre- >> authentication >>>>>> data which is accepted by the KDC and a ticket is issued to the >>>> client. >>>>>> HTH >>>>>> >>>>>> bye, >>>>>> Sumit >>>>>> >>>>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 >>>>>> etypes {18 >>>>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, >> etypes >>>>>> {rep=18 >>>>>>> tkt=23 ses=23}, u...@domain.com for host/av.domain....@domain.com >>>>>>> -------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>> We followed the instruction to integrate windows for >>>> authentication. >>>>>>> >>>>>>> Windows Client: Windows server 2008 R2 >>>>>>> >>>>>>> >>>>>>> >>>>>>> We are not able to figure out what the problem is. >>>>>>> >>>>>>> >>>>>>> >>>>>>> We are not using DNS server, instead we are using host file >>>> entries. >>>>>> DNS >>>>>>> server setup is not an option for us right now. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Same user can authenticate from Linux machine. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> >>>>>>> Mohan Cheema >>>>>>> >>>>>>> >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Freeipa-users mailing list >>>>>>> Freeipa-users@redhat.com >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Thanks for the info Sumit. >>>>> >>>>> However, if ticket is issued user should be able to login to >> system. >>>> Instead >>>>> on Windows we are getting "user name or password is incorrect". Are >>>> there >>>>> any other setting that needs to be done so that user can login to >>>> system. >>>> >>>> >>>> This thread seems to have no follow up. >>>> Was the problem solved? >>>> AFAIR for Windows system to allow the authentication one really >> needs >>>> to >>>> map user to a local user. >>>> There were some instructions in the HOWTO section of the IPA wiki. >>>> Have you checked them? >>>> >>>>> Regards, >>>>> >>>>> Mohan >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> -- >>>> Thank you, >>>> Dmitri Pal >>>> >>>> Sr. Engineering Manager for IdM portfolio >>>> Red Hat Inc. >>>> >>>> >>>> ------------------------------- >>>> Looking to carve out IT costs? >>>> www.redhat.com/carveoutcosts/ >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> > Regards, > > Mohan > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users