[Freeipa-users] Once Again: Freeipa and Windows 7
Hello
I'm trying again to setup a pilot freeipa infrastructure for linux/afs
servers and windows clients. So the first (and most hard) task is to join
a windows 7 into freeipa/kerberos.
I already read the available documentation and setup my pilot client with
the following parameters:
ksetup /setdomain SAMPLE.CH
ksetup /SetRealm SAMPLE.CH
ksetup /AddKdc SAMPLE.CH freeipa.sample.ch
ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch
ksetup /SetComputerPassword MYPASSWORDHERE
ksetup /MapUser * *
Changed the available encryption types for kerberos in secpool.msc under
Local Policies/Security Options/Network Security/Network Security:
Configure encryption types allowed for Kerberos to:
DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1,
Furter encryption types
Created a host principal in the freeipa webinterface and set the OTP to
MYPASSWORDHERE.
The clock of the windows 7 machine is synced with the ntpd of the freeipa
server.
When I try to login I get the usual password change request dialog on the
windows 7 client and the following krb5log entry:
Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED:
isn-rol...@sample.ch for krbtgt/sample...@sample.ch, Password has expired
When try to change the password I get only The username or password is
wrong with the following krb5log entries:
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes
{18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH: isn-rol...@sample.ch
for kadmin/chang...@sample.ch, Additional pre-authentication required
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes
{18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-rol...@sample.ch
for kadmin/chang...@sample.ch, Decrypt integrity check failed
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes
{18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-rol...@sample.ch
for kadmin/chang...@sample.ch, Decrypt integrity check failed
After long googeling and long investigation, I can't see the issue behind
this problems.
Does someone has setup a similar environment and give me some advice to
get this up and running?
Regards
Roland
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Hi, For RHEL6.1 64bit, Can you tell me which old libcurl is the right one? I seem to be getting bogged down with RH supportseems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26I think I want -16? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] version mismatch while joining a client ?
Hi, You can take the file with F14 intallation DVD. It work for me. You may need to make a script to be able to swap you libcurl file, because when you install the old version, yum doesn't work any more. Regards, Sylvain PANNETRAT Le 01/08/11 00:30, Steven Jones a écrit : Hi, For RHEL6.1 64bit, Can you tell me which old libcurl is the right one? I seem to be getting bogged down with RH supportseems the gdowngrade wnet from x86_64 to i686 but still the same subpatch -26I think I want -16? :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: Rob Crittenden [rcrit...@redhat.com] Sent: Friday, 29 July 2011 10:17 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? Steven Jones wrote: client install attempt info What version of libcurl do you have installed on the client? I realize you downgraded it, just curious what you ended up with. Can you look on the server and see if there is an exception related to principal not being set? rob regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Steven Jones [steven.jo...@vuw.ac.nz] Sent: Friday, 29 July 2011 9:59 a.m. Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] version mismatch while joining a client ? I just downgraded libcurl and curl on rhel6.1 clientstill broken. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
