I have a need to 'kinit' from within a cygwin environment in order to perform an svn checkout over ssh. However, I can't figure out how to get this to work properly with FreeIPA. We had a MIT kerberos/ OpenLDAP authentication system prior to using FreeIPA and we had it working there.
The windows machine itself is kerberized as per http://www.freeipa.org/page/Windows_authentication_against_FreeIPA so I can log in using the kerberos user via the standard windows login, however I don't believe that is relevant to cygwin since it uses its own config. Next, I generated an /etc/krb5.conf file within cygwin as appropriate for my domain (DNS SRV records don't appear to work so I had to fully configure it with my ipa servers listed, etc ... which is basically an identical config just with some new URLs to what was previously working). It was derived originally from here: http://computing.fnal.gov/authentication/krb5conf/Windows/krb5.conf Also, the cygwin /etc/krb5.keytab is what was generated via ipa-getkeytab from the FreeIPA windows config docs (linked earlier). Initially I received these errors: Jan 07 11:42:45 ipa1.XXXX krb5kdc[31975](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: BAD_ENCRYPTION_TYPE: bhouse@XXXX for krbtgt/XXXX@XXXX, KDC has no support for encryption type It appeared the kerberos within cygwin is only advertising des encryption types even though stronger ones are configured in my krb5.conf. Ok, so I allowed weak crypto to the krb5kdc on the freeipa server following the same procedure as from this mailing list entry (which was for a different purpose): https://www.redhat.com/archives/freeipa-users/2014-November/msg00246.html Which appears similar to the NFS workarounds but also includes modifications for krb5kdc.conf: http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/kerb-nfs.html Now I'm receiving these errors in the logs: Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32006](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse@XXXX for krbtgt/XXXX@XXXX, Additional pre-authentication required Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse@XXXX for krbtgt/XXXX@XXXX, Additional pre-authentication required Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): AS_REQ (2 etypes {3 1}) 10.100.10.112: NEEDED_PREAUTH: bhouse@XXXX for krbtgt/XXXX@XXXX, Additional pre-authentication required Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:29 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response Jan 07 12:39:30 ipa1.p10jax.auth.monetra.com krb5kdc[32005](info): DISPATCH: repeated (retransmitted?) request from 10.100.10.112, resending previous response And on the cygwin console I get: $ kinit bhouse Password for bhouse@XXXX: kinit: Looping detected inside krb5_get_in_tkt while getting initial credentials So I think this is _better_, however I don't know where to go from here. Any help would be greatly appreciated, I'm not finding anything when trying to research cygwin with FreeIPA. Thanks! -Brad -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project