I have verified that the password set for the workstation in the kerberos host principal(using ipa-getkeytab) and the password on the host (using ksetup) are the same. I'm still getting the " Decrypt integrity check failed" errors. I have also verified that the system clock is accurate on both the KDC and the workstation. What else could be causing this? As I have said, this system authenticates flawlessly against other KDC's I have set up. Jimmy
On Fri, Sep 16, 2011 at 5:55 PM, Simo Sorce <[email protected]> wrote: > On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote: > > This was installed using yum. I need to be able to authenticate users > > against Kerberos from a Windows client machine and it fails at login > > saying the username/password is incorrect. The krb5kdc.log shows: > > > > > > > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: [email protected] > > for krbtgt/[email protected], Additional pre-authentication required > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > > (timestamp) verify failure: Decrypt integrity check failed > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: [email protected] > > for krbtgt/[email protected], Decrypt integrity check failed > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > > (timestamp) verify failure: Decrypt integrity check failed > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: [email protected] > > for krbtgt/[email protected], Decrypt integrity check failed > > > These logs say that either the password is wrong, or the clock on your > windows client is way off (more than 5 min. skew) wrt the ipa server. > > > > I know the user's password I'm using is correct because I can kinit > > with that username/password on the IPA server. I used the > > ipa-getkeytab to set the machine password, but I'm not sure that it's > > doing what I would normally do in a stand alone MIT Kerberos server > > using kadmin. Using ksetup on the windows7 client I can reconfigure > > for a couple different realms and authentication works just fine, but > > I'm missing something on the IPA config that would allow the same > > authentication. > > The reason to have a "password" (windows) or a keytab (unix) for the > machine is to be able to validate the account against a possible rouge > KDC+attacker at login prompt pair. > > But you are not even getting to the validation step as you are failing > to get a TGT for the user in the first place. > > If the user password is right and your Freeipa REALM name is indeed > PDH.CSP then it is probably clock skew. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
