Sigbjorn Lie wrote:
On Fri, September 16, 2011 23:18, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 09/16/2011 10:29 AM, Alexander Bokovoy wrote:
On Fri, 16 Sep 2011, Dmitri Pal wrote:
On 09/15/2011 04:14 PM, Sigbjorn Lie wrote:
On 09/15/2011 09:59 PM, Dmitri Pal wrote:
On 09/15/2011
On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote:
I have verified that the password set for the workstation in the
kerberos host principal(using ipa-getkeytab) and the password on the
host (using ksetup) are the same. I'm still getting the Decrypt
integrity check failed errors. I have also
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote:
I think you're on to something here. I just reset the user's password
on IPA and get the password expired message but I get that
regardless of what I enter for the user's password. I'm confused as to
why I can make the user auth work with a
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not support
AES. The user is getting authenticated, just not able to decrypt the ticket.
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
I wonder if changing the defaults to exclude the use of AES would help
in your case.
Not ideal, but apparently something funny is going on there.
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the
What error exactly do you get on the client side ?
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not
support AES. The user is getting authenticated, just
Ah stupid me,
When using Windows XP you must generate a keytab that does not use the
AES enctype. If you include the AES enctype when generating keys for the
host, you are telling the KDC that the host knows how to use AES.
You should probably just use arcfour only for WinXP as that client only
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere
are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info):
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote:
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html
there are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
working to authenticate all users against the FreeIPA realm. I just went
into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and
maybe that will fix it, too.
___
That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks
again.
On Mon, Sep 19, 2011 at 4:44 PM, Jimmy g17ji...@gmail.com wrote:
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
working to authenticate all users against the FreeIPA realm. I just went
I can't find the technet article right now, but here's what I did that
makes Win7 work. Run gpedit.msc. Under Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options open the key called “Network Security:
Configure encryption types allowed for Kerberos” unselect
12 matches
Mail list logo
