[Freeipa-users] Windows client logon
Simo Sorce
simo at redhat.com
Fri Sep 16 21:55:45 UTC 2011
On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote:
> This was installed using yum. I need to be able to authenticate users
> against Kerberos from a Windows client machine and it fails at login
> saying the username/password is incorrect. The krb5kdc.log shows:
>
>
>
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
> {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP
> for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth
> (timestamp) verify failure: Decrypt integrity check failed
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
> {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP
> for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth
> (timestamp) verify failure: Decrypt integrity check failed
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
> {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP
> for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed
These logs say that either the password is wrong, or the clock on your
windows client is way off (more than 5 min. skew) wrt the ipa server.
>
> I know the user's password I'm using is correct because I can kinit
> with that username/password on the IPA server. I used the
> ipa-getkeytab to set the machine password, but I'm not sure that it's
> doing what I would normally do in a stand alone MIT Kerberos server
> using kadmin. Using ksetup on the windows7 client I can reconfigure
> for a couple different realms and authentication works just fine, but
> I'm missing something on the IPA config that would allow the same
> authentication.
The reason to have a "password" (windows) or a keytab (unix) for the
machine is to be able to validate the account against a possible rouge
KDC+attacker at login prompt pair.
But you are not even getting to the validation step as you are failing
to get a TGT for the user in the first place.
If the user password is right and your Freeipa REALM name is indeed
PDH.CSP then it is probably clock skew.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list