On 02/10/2011 05:30 AM, Brett Maton wrote:
Thanks for the replies,
Simo, I know the password is correct as I can kinit user from other
linux boxes.
All machines are using the same time source, and I checked the time on each
machine so unfortunately it's neither of those this time round.
Dimitri,
I did run through the Configuring Windows Client section on that web
page, although I didn't install any additional software (ksetup / klist /
kinit tools already installed).
The client is connecting correctly as I get Your password has expired,
please change it as a response when I login.
It appears that the password change from the Windows Client fails with the
Decrypt integrity check errors.
If I change the password on a linux server when requested by kinit, I get
the same Decrypt errors when trying to login to the Windows 7 client
(Windows 7 Professional).
I did change the local security policy to Accept all Kerberos Encryption
types, except Future encryption types.
Thanks,
Brett
-Original Message-
From: Simo Sorce
Sent: 10 February 2011 05:33
To: Brett Maton
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication
On Wed, 9 Feb 2011 16:13:39 +
Brett Maton wrote:
Hi,
I can't get a Windows 7 client to authenticate against Freeipa (ver
2.0.0.pre2) running on Fedora 14.
Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1
24 -135}) 192.168.0.2: NEEDED_PREAUTH: mat...@example.com for
krbtgt/example@example.com, Additional pre-authentication
required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp)
verify failure: Decrypt integrity check failed Feb 09 16:03:22
krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
192.168.0.2: PREAUTH_FAILED: mat...@example.com for
krbtgt/example@example.com, Decrypt integrity check failed Feb 09
16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure:
Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info):
AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED:
mat...@example.com for krbtgt/example@example.com, Decrypt
integrity check failed
Any help with where to start looking or what might be wrong would be
greatly appreciated.
Either the password is wrong or the time on your client is not within 5
min. of the time on the KDC.
Simo.
Can you please log a bug then and we will try to check this scenario?
You might be the first person who tries this scenario and something can
be wrong on either side.
I am not sure we would be able to jump on this right away but the bug
would at least give us a way to get to it in due time.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users