Environment
Open Enterprise Server 2 SP2
Open Enterprise Server 2 SP3
Domain Services for Windows
DSfW
Domain Services for Windows
DSfW
Situation
A IP Network address restriction is added to a user. It does not matter if that address if allowed or not allowed, when the user logs in they receive an error:
"The system cannot log you on due to the following error:
Insufficient system resources exist to complete the requested service."
A lan trace returns an AS-REP with KRBError: KRB5KRB_ERR_GENERIC
Invalid Workstation.
kdc.log shows:
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): AS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, vmwin-1$@NOVELL.DSFW for krbtgt/NOVELL.DSFW@NOVELL.DSFW
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, VMWIN-1$@NOVELL.DSFW for DNS/dsfw-s1.novell.dsfw@NOVELL.DSFW
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, VMWIN-1$@NOVELL.DSFW for krbtgt/NOVELL.DSFW@NOVELL.DSFW
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: UNKNOWN_SERVER: authtime 0, VMWIN-1$@NOVELL.DSFW
for DNS/labdns1.is.lab.novell.com@NOVELL.DSFW, Server not found in Kerberos dat
abase
Dec 17 15:38:18 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, VMWIN-1$@NOVELL.DSFW for cifs/DSFW-S1.novell.dsfw@NOVELL.DSFW
Dec 17 15:47:22 DSFW-S1 krb5kdc[30403](info): AS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: Invalid Workstation: user1@NOVELL for
krbtgt/NOVELL@NOVELL, Generic error (see e-text)
A lan trace returns an AS-REP with KRBError: KRB5KRB_ERR_GENERIC
Invalid Workstation.
kdc.log shows:
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): AS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, vmwin-1$@NOVELL.DSFW for krbtgt/NOVELL.DSFW@NOVELL.DSFW
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, VMWIN-1$@NOVELL.DSFW for DNS/dsfw-s1.novell.dsfw@NOVELL.DSFW
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, VMWIN-1$@NOVELL.DSFW for krbtgt/NOVELL.DSFW@NOVELL.DSFW
Dec 17 15:38:10 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: UNKNOWN_SERVER: authtime 0, VMWIN-1$@NOVELL.DSFW
for DNS/labdns1.is.lab.novell.com@NOVELL.DSFW, Server not found in Kerberos dat
abase
Dec 17 15:38:18 DSFW-S1 krb5kdc[30403](info): TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: ISSUE: authtime 1292625490, etypes {rep=23 tkt=23
ses=23}, VMWIN-1$@NOVELL.DSFW for cifs/DSFW-S1.novell.dsfw@NOVELL.DSFW
Dec 17 15:47:22 DSFW-S1 krb5kdc[30403](info): AS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 151.155.130.247: Invalid Workstation: user1@NOVELL for
krbtgt/NOVELL@NOVELL, Generic error (see e-text)
Resolution
If a user is assigned a IP Network Address Restrictions to say 192.168.1.5 and
logs in from a workstation with a different ip address, the user will fail to
login. This is expected behavior.
The IP address listed in the Network Address Restrictions are the addresses the user is restricted to using.
Assign addresses the user is allowed to login from.
logs in from a workstation with a different ip address, the user will fail to
login. This is expected behavior.
The IP address listed in the Network Address Restrictions are the addresses the user is restricted to using.
Assign addresses the user is allowed to login from.