On 10/03/2013 11:15 PM, Mohan Cheema wrote: > Hi Dmitri, > > Yes its solved now. It didn't work with single user mapping I had map all > users as per the HOWTO and it worked. Initially I was trying with just one > user mapped to ipa user which didn't worked.
Anything would be worth adding to the HOWTO based on your experience? > > Regards, > > Mohan > >> -----Original Message----- >> From: [email protected] [mailto:freeipa-users- >> [email protected]] On Behalf Of Dmitri Pal >> Sent: Thursday, October 03, 2013 10:06 PM >> To: [email protected] >> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication >> required >> >> On 09/30/2013 10:59 PM, Mohan Cheema wrote: >>>> -----Original Message----- >>>> From: [email protected] [mailto:freeipa-users- >>>> [email protected]] On Behalf Of Sumit Bose >>>> Sent: Monday, September 30, 2013 3:47 PM >>>> To: [email protected] >>>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication >>>> required >>>> >>>> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote: >>>>> Hi, >>>>> >>>>> >>>>> >>>>> We are trying to authenticate from Windows machine and getting >> below >>>> error. >>>>> >>>>> -------------------- >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 >>>> etypes {18 >>>>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: [email protected] for >>>>> krbtgt/[email protected], Additional pre-authentication >> required >>>> This is expected behaviour. The client will first send the AS-REQ >>>> without any pre-authentication data. If the server requires >>>> pre-authentication for this principal it will return this error to >> the >>>> client to indicate that pre-authentication is expected. >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 >>>> etypes {18 >>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes >>>> {rep=18 >>>>> tkt=18 ses=18}, [email protected] for krbtgt/[email protected] >>>> In the second AS-REQ the client has included some pre-authentication >>>> data which is accepted by the KDC and a ticket is issued to the >> client. >>>> HTH >>>> >>>> bye, >>>> Sumit >>>> >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 >>>> etypes {18 >>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes >>>> {rep=18 >>>>> tkt=23 ses=23}, [email protected] for host/[email protected] >>>>> -------------------- >>>>> >>>>> >>>>> >>>>> We followed the instruction to integrate windows for >> authentication. >>>>> >>>>> >>>>> Windows Client: Windows server 2008 R2 >>>>> >>>>> >>>>> >>>>> We are not able to figure out what the problem is. >>>>> >>>>> >>>>> >>>>> We are not using DNS server, instead we are using host file >> entries. >>>> DNS >>>>> server setup is not an option for us right now. >>>>> >>>>> >>>>> >>>>> Same user can authenticate from Linux machine. >>>>> >>>>> >>>>> >>>>> Regards, >>>>> >>>>> >>>>> >>>>> Mohan Cheema >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> [email protected] >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Thanks for the info Sumit. >>> >>> However, if ticket is issued user should be able to login to system. >> Instead >>> on Windows we are getting "user name or password is incorrect". Are >> there >>> any other setting that needs to be done so that user can login to >> system. >> >> >> This thread seems to have no follow up. >> Was the problem solved? >> AFAIR for Windows system to allow the authentication one really needs >> to >> map user to a local user. >> There were some instructions in the HOWTO section of the IPA wiki. >> Have you checked them? >> >>> Regards, >>> >>> Mohan >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
