Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-11 Thread Dmitri Pal 
On 02/10/2011 05:30 AM, Brett Maton wrote:
 Thanks for the replies,

   Simo, I know the password is correct as I can kinit user from other
 linux boxes.
 All machines are using the same time source, and I checked the time on each
 machine so unfortunately it's neither of those this time round.

 Dimitri,
   I did run through the Configuring Windows Client section on that web
 page, although I didn't install any additional software (ksetup / klist /
 kinit tools already installed).

 The client is connecting correctly as I get Your password has expired,
 please change it as a response when I login.
 It appears that the password change from the Windows Client fails with the
 Decrypt integrity check errors.
 If I change the password on a linux server when requested by kinit, I get
 the same Decrypt errors when trying to login to the Windows 7 client
 (Windows 7 Professional).

 I did change the local security policy to Accept all Kerberos Encryption
 types, except Future encryption types.

 Thanks,
 Brett

 -Original Message-
 From: Simo Sorce 
 Sent: 10 February 2011 05:33
 To: Brett Maton
 Cc: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication

 On Wed, 9 Feb 2011 16:13:39 +
 Brett Maton wrote:

 Hi,

   I can't get a Windows 7 client to authenticate against Freeipa (ver
 2.0.0.pre2) running on Fedora 14.

 Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1
 24 -135}) 192.168.0.2: NEEDED_PREAUTH: mat...@example.com for
 krbtgt/example@example.com, Additional pre-authentication
 required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp)
 verify failure: Decrypt integrity check failed Feb 09 16:03:22
 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
 192.168.0.2: PREAUTH_FAILED: mat...@example.com for
 krbtgt/example@example.com, Decrypt integrity check failed Feb 09
 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure:
 Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info):
 AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED:
 mat...@example.com for krbtgt/example@example.com, Decrypt
 integrity check failed

 Any help with where to start looking or what might be wrong would be
 greatly appreciated.
 Either the password is wrong or the time on your client is not within 5
 min. of the time on the KDC.

 Simo.

Can you please log a bug then and we will try to check this scenario?
You might be the first person who tries this scenario and something can
be wrong on either side.
I am not sure we would be able to jump on this right away but the bug
would at least give us a way to get to it in due time.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-11 Thread Simo Sorce 
On Wed, 9 Feb 2011 16:13:39 +
Brett Maton mat...@ltresources.co.uk wrote:

   I can't get a Windows 7 client to authenticate against Freeipa (ver
 2.0.0.pre2) running on Fedora 14.

Brett,
can you tell me what krb5-server package do you have installed ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-09 Thread Dmitri Pal 
On 02/09/2011 11:13 AM, Brett Maton wrote:
 Decrypt integrity check failed

What kind of setup you did on the client?
Can you please provide a little bit more details?

Have you done something this (it was written for V1 and Windows 7 was
not around but the concepts should be the same):
http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Freeipa Windows 7 client authentication

2011-02-09 Thread Simo Sorce 
On Wed, 9 Feb 2011 16:13:39 +
Brett Maton mat...@ltresources.co.uk wrote:

 Hi,
 
   I can't get a Windows 7 client to authenticate against Freeipa (ver
 2.0.0.pre2) running on Fedora 14.
 
 Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1
 24 -135}) 192.168.0.2: NEEDED_PREAUTH: mat...@example.com for
 krbtgt/example@example.com, Additional pre-authentication
 required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp)
 verify failure: Decrypt integrity check failed Feb 09 16:03:22
 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
 192.168.0.2: PREAUTH_FAILED: mat...@example.com for
 krbtgt/example@example.com, Decrypt integrity check failed Feb 09
 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure:
 Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info):
 AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED:
 mat...@example.com for krbtgt/example@example.com, Decrypt
 integrity check failed
 
 Any help with where to start looking or what might be wrong would be
 greatly appreciated.

Either the password is wrong or the time on your client is not within 5
min. of the time on the KDC.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users