[Freeipa-users] Windows client logon
Simo Sorce
simo at redhat.com
Mon Sep 19 20:05:23 UTC 2011
I wonder if changing the defaults to exclude the use of AES would help
in your case.
Not ideal, but apparently something funny is going on there.
Simo.
On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
> I have a WinXP client configured to authenticate now but it looks like
> FreeIPA is sending the ticket encrypted with AES and XP does not
> support AES. The user is getting authenticated, just not able to
> decrypt the ticket.
>
>
>
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
> oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication
> required
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
> {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
> tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP
> Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
> 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for
> host/crm1.pdh.csp at PDH.CSP
>
>
>
> On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce <simo at redhat.com> wrote:
> On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
> > Once I changed the password for 'admin' I now get this error
> on the
> > windows system:
> >
> >
> >
> > Insufficient system resources exist to complete the
> requested service
> >
> >
> > and get this in the log no matter if I use the
> correct(changed)
> > password or if I use a known bad password:
> > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
> (7 etypes
> > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
> admin at PDH.CSP
> > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication
> required
> >
> >
> > I even deleted the user and all associated profile
> information on the
> > windows system and still it won't work any more.
> >
> >
>
> Ok somehow we generate a key the windows client doesn't like
> or know how
> to work with. While MIT's clients are just fine with.
> The way we generate keys is by setting a special random seed
> that is
> handed back to the client when the preauth error is generated,
> perhaps
> Windows is not liking what it sees ?
>
> Any chance you can try with an older client, I wonder if it is
> a
> regression in win7 ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list