[Freeipa-users] Tuesday, February 15, 2011 - FreeIPA v2 Test Day

2011-02-11 Thread James Laska 
Greetings folks,

I'm passing along an announcement from the freeipa-users mailing list
[1] regarding the first of two Test Days next week.  On Tuesday, we'll
be hosting a test day focused on FreeIPA v2. 

The FreeIPA project implements an identity server. IPA stands for
Identity, Policy and Audit. The first version of IPA was introduced
three years ago and was focused on the user identity and authentication.
This version is a significant revision of the IPA server adding multiple
new features and capabilities. 

The test day wiki is still coming online, we expect it to be finalized
on Monday.  For more information on the upcoming Fedora 15 feature,
checkout the feature page [2].

[1]
https://www.redhat.com/archives/freeipa-users/2011-February/msg00033.html
[2] https://fedoraproject.org/wiki/Features/FreeIPAv2

> Please join us in testing FreeIPA v2 on Tuesday Feb 15th as a part of
> the Fedora 15 Test Day.  Originally we planned to have a test day on
> Thursday February 10th (tomorrow) but for different reasons we had to
> delay this effort.
> 
> The details of what to test and how to test will be published later
> this week. Please follow the changes on the Fedora test page [1] and
> on the FreeIPA wiki [2].
> 
> [1] https://fedoraproject.org/wiki/Test_Day:2011-02-15_FreeIPAv2
> (incomplete as of Feb 9th)
> [2] http://www.freeipa.org


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-11 Thread Simo Sorce 
On Wed, 9 Feb 2011 16:13:39 +
Brett Maton  wrote:

>   I can't get a Windows 7 client to authenticate against Freeipa (ver
> 2.0.0.pre2) running on Fedora 14.

Brett,
can you tell me what krb5-server package do you have installed ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-11 Thread Dmitri Pal 
On 02/10/2011 05:30 AM, Brett Maton wrote:
> Thanks for the replies,
>
>   Simo, I know the password is correct as I can kinit  from other
> linux boxes.
> All machines are using the same time source, and I checked the time on each
> machine so unfortunately it's neither of those this time round.
>
> Dimitri,
>   I did run through the "Configuring Windows Client" section on that web
> page, although I didn't install any additional software (ksetup / klist /
> kinit tools already installed).
>
> The client is connecting correctly as I get "Your password has expired,
> please change it" as a response when I login.
> It appears that the password change from the Windows Client fails with the
> "Decrypt integrity check" errors.
> If I change the password on a linux server when requested by kinit, I get
> the same Decrypt errors when trying to login to the Windows 7 client
> (Windows 7 Professional).
>
> I did change the local security policy to Accept all Kerberos Encryption
> types, except "Future encryption types".
>
> Thanks,
> Brett
>
> -Original Message-
> From: Simo Sorce 
> Sent: 10 February 2011 05:33
> To: Brett Maton
> Cc: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication
>
> On Wed, 9 Feb 2011 16:13:39 +
> Brett Maton wrote:
>
>> Hi,
>>
>>   I can't get a Windows 7 client to authenticate against Freeipa (ver
>> 2.0.0.pre2) running on Fedora 14.
>>
>> Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1
>> 24 -135}) 192.168.0.2: NEEDED_PREAUTH: mat...@example.com for
>> krbtgt/example@example.com, Additional pre-authentication
>> required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp)
>> verify failure: Decrypt integrity check failed Feb 09 16:03:22
>> krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
>> 192.168.0.2: PREAUTH_FAILED: mat...@example.com for
>> krbtgt/example@example.com, Decrypt integrity check failed Feb 09
>> 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure:
>> Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info):
>> AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED:
>> mat...@example.com for krbtgt/example@example.com, Decrypt
>> integrity check failed
>>
>> Any help with where to start looking or what might be wrong would be
>> greatly appreciated.
> Either the password is wrong or the time on your client is not within 5
> min. of the time on the KDC.
>
> Simo.
>
Can you please log a bug then and we will try to check this scenario?
You might be the first person who tries this scenario and something can
be wrong on either side.
I am not sure we would be able to jump on this right away but the bug
would at least give us a way to get to it in due time.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users