[Freeipa-users] Windows client logon

Simo Sorce simo at redhat.com
Mon Sep 19 20:05:23 UTC 2011 

I wonder if changing the defaults to exclude the use of AES would help
in your case.

Not ideal, but apparently something funny is going on there.

Simo.

On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
> I have a WinXP client configured to authenticate now but it looks like
> FreeIPA is sending the ticket encrypted with AES and XP does not
> support AES. The user is getting authenticated, just not able to
> decrypt the ticket.
> 
> 
> 
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
> oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication
> required
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
> {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
> tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP
> Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
> 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for
> host/crm1.pdh.csp at PDH.CSP
> 
> 
> 
> On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce <simo at redhat.com> wrote:
>         On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
>         > Once I changed the password for 'admin' I now get this error
>         on the
>         > windows system:
>         >
>         >
>         >
>         > Insufficient system resources exist to complete the
>         requested service
>         >
>         >
>         > and get this in the log no matter if I use the
>         correct(changed)
>         > password or if I use a known bad password:
>         > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
>         (7 etypes
>         > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
>         admin at PDH.CSP
>         > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication
>         required
>         >
>         >
>         > I even deleted the user and all associated profile
>         information on the
>         > windows system and still it won't work any more.
>         >
>         >
>         
>         Ok somehow we generate a key the windows client doesn't like
>         or know how
>         to work with. While MIT's clients are just fine with.
>         The way we generate keys is by setting a special random seed
>         that is
>         handed back to the client when the preauth error is generated,
>         perhaps
>         Windows is not liking what it sees ?
>         
>         Any chance you can try with an older client, I wonder if it is
>         a
>         regression in win7 ?
>         
>         Simo.
>         
>         --
>         Simo Sorce * Red Hat, Inc * New York
>         
>         
> 

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list