I can't find the technet article right now, but here's what I did that
makes Win7 work. Run gpedit.msc. Under >Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options open the key called “Network Security:
Configure encryption types allowed for Kerberos” unselect
That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks
again.
On Mon, Sep 19, 2011 at 4:44 PM, Jimmy wrote:
> You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
> working to authenticate all users against the FreeIPA realm. I just went
> into gpedit.msc on
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
working to authenticate all users against the FreeIPA realm. I just went
into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and
maybe that will fix it, too.
___
Fr
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote:
> According to this:
> http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html
> there are a ton of encryption options that XP does support, but I always get
> this error if I define anything specific in the keytab
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere
are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_
Ah stupid me,
When using Windows XP you must generate a keytab that does not use the
AES enctype. If you include the AES enctype when generating keys for the
host, you are telling the KDC that the host knows how to use AES.
You should probably just use arcfour only for WinXP as that client only
un
What error exactly do you get on the client side ?
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
> I have a WinXP client configured to authenticate now but it looks like
> FreeIPA is sending the ticket encrypted with AES and XP does not
> support AES. The user is getting authenticated, ju
I wonder if changing the defaults to exclude the use of AES would help
in your case.
Not ideal, but apparently something funny is going on there.
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
> I have a WinXP client configured to authenticate now but it looks like
> FreeIPA is sending th
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
> I have a WinXP client configured to authenticate now but it looks like
> FreeIPA is sending the ticket encrypted with AES and XP does not
> support AES. The user is getting authenticated, just not able to
> decrypt the ticket.
>
>
>
> Sep 19 19:5
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not support
AES. The user is getting authenticated, just not able to decrypt the ticket.
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
-13
It's weird that the 'admin' IPA user worked until I changed the password.
I'm working on getting a WinXP system to test with now.
On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce wrote:
> On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
> > Once I changed the password for 'admin' I now get this error
On Mon, 2011-09-19 at 11:33 -0400, Jimmy wrote:
> I just found that the FreeIPA user 'admin' can log in with no issues
> on the Windows system, with no changes from the config that I was
> attempting to use with a newly created IPA user. So authentication
> from the workstation works if the user ha
I just found that the FreeIPA user 'admin' can log in with no issues on the
Windows system, with no changes from the config that I was attempting to use
with a newly created IPA user. So authentication from the workstation works
if the user has a known, non-expired password. It seems the kpasswd fu
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote:
> I think you're on to something here. I just reset the user's password
> on IPA and get the "password expired" message but I get that
> regardless of what I enter for the user's password. I'm confused as to
> why I can make the user auth work with a
I think you're on to something here. I just reset the user's password on IPA
and get the "password expired" message but I get that regardless of what I
enter for the user's password. I'm confused as to why I can make the user
auth work with a normal KDC but I'm having so much trouble with IPA-KDC.
On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote:
> I have verified that the password set for the workstation in the
> kerberos host principal(using ipa-getkeytab) and the password on the
> host (using ksetup) are the same. I'm still getting the " Decrypt
> integrity check failed" errors. I have also
I have verified that the password set for the workstation in the kerberos
host principal(using ipa-getkeytab) and the password on the host (using
ksetup) are the same. I'm still getting the " Decrypt integrity check
failed" errors. I have also verified that the system clock is accurate on
both the
On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote:
> This was installed using yum. I need to be able to authenticate users
> against Kerberos from a Windows client machine and it fails at login
> saying the username/password is incorrect. The krb5kdc.log shows:
>
>
>
> Sep 16 20:53:32 csp-idm.pdh.c
This was installed using yum. I need to be able to authenticate users
against Kerberos from a Windows client machine and it fails at login saying
the username/password is incorrect. The krb5kdc.log shows:
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135})
On 09/16/2011 02:26 PM, Jimmy wrote:
> I can create a keytab using ipa-getkeytab for any entity, say for
> instance a user, and store a password in the keytab but as soon as the
> user attempts to kinit with the set password it expires and must be
> changed. Is this happening with the host(workstat
I can create a keytab using ipa-getkeytab for any entity, say for instance a
user, and store a password in the keytab but as soon as the user attempts to
kinit with the set password it expires and must be changed. Is this
happening with the host(workstation) entities?
On Fri, Sep 16, 2011 at 9:44
When I do not specify the encryption type it does put them all in in a
single go. I just was attempting to eliminate the other types in case that
was creating a problem. The system defaults to type x18
(aes256-cts-hmac-sha1-96). Thanks for your help on this.
[root@csp-idm etc]# klist -kte krb5.key
On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
> ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> krb5.keytab
> -P[entering into the main keytab /etc/krb5.keytab]
> ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
> krb5.keytab.sys1 -P [entering into a
I tried that but still cannot successfully log in as a IPA user. The same
system can be configured as a Kerberos client(non-IPA) defined in MIT
Kerberos, and authenticate against MIT Kerberos. The system uses AES when
authenticating to MIT Kerberos so those are the only encryption types I
defined
On Thu, 2011-09-15 at 17:51 -0400, Jimmy wrote:
> I'm still working on this... I was reading this post in the archives:
> http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html
> Dmitri's statement "There might be some MIT documentation about how to
> join a Windows machine to MIT KDC.
I'm still working on this... I was reading this post in the archives:
http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's
statement "There might be some MIT documentation about how to join a Windows
machine to MIT KDC. If this can be done I am sure the same can be done with
One thing that doesn't quite make sense about the windows config
instructions, we make a keytab, but there is no indication as to where the
keytab goes. I wouldn't think the IPA server would need the keytab as the
password is stored in the IPA server already.
On Wed, Sep 14, 2011 at 10:07 AM, Rob
Jimmy wrote:
Just curious about this, the guide that we both refer to provides
instructions for a windows client authentication but this page indicates
that FreeIPA doesn't support windows clients:
http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html
Which is correct?
The g
Just curious about this, the guide that we both refer to provides
instructions for a windows client authentication but this page indicates
that FreeIPA doesn't support windows clients:
http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html
Which is correct?
On Tue, Sep 13, 2011
Jimmy wrote:
I'm setting up a WinXP system to authenticate to FreeIPA. I followed the
directions listed here:
http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step
I created the host account in FreeIPA, and the user, and I do get
prompted to chang
I'm setting up a WinXP system to authenticate to FreeIPA. I followed the
directions listed here:
http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step
I created the host account in FreeIPA, and the user, and I do get prompted
to change the initial p
31 matches
Mail list logo
