[Freeipa-users] Once Again: Freeipa and Windows 7

Sun, 31 Jul 2011 01:45:39 -0700 

Hello

I'm trying again to setup a pilot freeipa infrastructure for linux/afs 
servers and windows clients. So the first (and most hard) task is to join 
a "windows 7" into freeipa/kerberos. 
I already read the available documentation and setup my pilot client with 
the following parameters:

ksetup /setdomain SAMPLE.CH
ksetup /SetRealm SAMPLE.CH
ksetup /AddKdc SAMPLE.CH freeipa.sample.ch
ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch
ksetup /SetComputerPassword MYPASSWORDHERE
ksetup /MapUser * *

Changed the available encryption types for kerberos in secpool.msc under 
Local Policies/Security Options/Network Security/Network Security: 
Configure encryption types allowed for Kerberos to:
DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1, 
Furter encryption types

Created a host principal in the freeipa webinterface and set the OTP to 
MYPASSWORDHERE.

The clock of the windows 7 machine is synced with the ntpd of the freeipa 
server.

When I try to login I get the usual password change request dialog on the 
windows 7 client and the following krb5log entry:

     Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 
etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED: 
isn-rol...@sample.ch for krbtgt/sample...@sample.ch, Password has expired

When try to change the password I get only "The username or password is 
wrong" with the following krb5log entries:

   Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes 
{18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH: isn-rol...@sample.ch 
for kadmin/chang...@sample.ch, Additional pre-authentication required
   Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth 
(timestamp) verify failure: Decrypt integrity check failed
   Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes 
{18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-rol...@sample.ch 
for kadmin/chang...@sample.ch, Decrypt integrity check failed
   Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth 
(timestamp) verify failure: Decrypt integrity check failed
   Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes 
{18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-rol...@sample.ch 
for kadmin/chang...@sample.ch, Decrypt integrity check failed

After long googeling and long investigation, I can't see the issue behind 
this problems. 

Does someone has setup a similar environment and give me some advice to 
get this up and running?

Regards

Roland

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to