> -----Original Message----- > From: Dmitri Pal [mailto:[email protected]] > Sent: Friday, October 04, 2013 4:38 AM > To: Mohan Cheema > Cc: [email protected] > Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication > required > > On 10/03/2013 11:15 PM, Mohan Cheema wrote: > > Hi Dmitri, > > > > Yes its solved now. It didn't work with single user mapping I had map > all > > users as per the HOWTO and it worked. Initially I was trying with > just one > > user mapped to ipa user which didn't worked. > > Anything would be worth adding to the HOWTO based on your experience?
I think just mentioning that one need to map all the users instead of just single user and create only those windows user locally who will be accessing the machine. > > > > > Regards, > > > > Mohan > > > >> -----Original Message----- > >> From: [email protected] [mailto:freeipa-users- > >> [email protected]] On Behalf Of Dmitri Pal > >> Sent: Thursday, October 03, 2013 10:06 PM > >> To: [email protected] > >> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication > >> required > >> > >> On 09/30/2013 10:59 PM, Mohan Cheema wrote: > >>>> -----Original Message----- > >>>> From: [email protected] [mailto:freeipa-users- > >>>> [email protected]] On Behalf Of Sumit Bose > >>>> Sent: Monday, September 30, 2013 3:47 PM > >>>> To: [email protected] > >>>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication > >>>> required > >>>> > >>>> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote: > >>>>> Hi, > >>>>> > >>>>> > >>>>> > >>>>> We are trying to authenticate from Windows machine and getting > >> below > >>>> error. > >>>>> > >>>>> -------------------- > >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 > >>>> etypes {18 > >>>>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: [email protected] > for > >>>>> krbtgt/[email protected], Additional pre-authentication > >> required > >>>> This is expected behaviour. The client will first send the AS-REQ > >>>> without any pre-authentication data. If the server requires > >>>> pre-authentication for this principal it will return this error to > >> the > >>>> client to indicate that pre-authentication is expected. > >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 > >>>> etypes {18 > >>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, > etypes > >>>> {rep=18 > >>>>> tkt=18 ses=18}, [email protected] for krbtgt/[email protected] > >>>> In the second AS-REQ the client has included some pre- > authentication > >>>> data which is accepted by the KDC and a ticket is issued to the > >> client. > >>>> HTH > >>>> > >>>> bye, > >>>> Sumit > >>>> > >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 > >>>> etypes {18 > >>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, > etypes > >>>> {rep=18 > >>>>> tkt=23 ses=23}, [email protected] for host/[email protected] > >>>>> -------------------- > >>>>> > >>>>> > >>>>> > >>>>> We followed the instruction to integrate windows for > >> authentication. > >>>>> > >>>>> > >>>>> Windows Client: Windows server 2008 R2 > >>>>> > >>>>> > >>>>> > >>>>> We are not able to figure out what the problem is. > >>>>> > >>>>> > >>>>> > >>>>> We are not using DNS server, instead we are using host file > >> entries. > >>>> DNS > >>>>> server setup is not an option for us right now. > >>>>> > >>>>> > >>>>> > >>>>> Same user can authenticate from Linux machine. > >>>>> > >>>>> > >>>>> > >>>>> Regards, > >>>>> > >>>>> > >>>>> > >>>>> Mohan Cheema > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Freeipa-users mailing list > >>>>> [email protected] > >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>>> _______________________________________________ > >>>> Freeipa-users mailing list > >>>> [email protected] > >>>> https://www.redhat.com/mailman/listinfo/freeipa-users > >>> Thanks for the info Sumit. > >>> > >>> However, if ticket is issued user should be able to login to > system. > >> Instead > >>> on Windows we are getting "user name or password is incorrect". Are > >> there > >>> any other setting that needs to be done so that user can login to > >> system. > >> > >> > >> This thread seems to have no follow up. > >> Was the problem solved? > >> AFAIR for Windows system to allow the authentication one really > needs > >> to > >> map user to a local user. > >> There were some instructions in the HOWTO section of the IPA wiki. > >> Have you checked them? > >> > >>> Regards, > >>> > >>> Mohan > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> [email protected] > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> Sr. Engineering Manager for IdM portfolio > >> Red Hat Inc. > >> > >> > >> ------------------------------- > >> Looking to carve out IT costs? > >> www.redhat.com/carveoutcosts/ > >> > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> [email protected] > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > Regards, Mohan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
