On Sun, Oct 25, 2009 at 10:10:08PM -0600, Jason Gerard DeRose wrote:
> How do I check whether the database entry for ad...@example.com has keys
> in it?

Check the user's entry in the directory server for 'krbPrincipalKey'
values.  The attribute isn't going to be world-readable, so you'll need
to search as the KDC or the directory manager, like this:

  ldapsearch -x -D "cn=Directory Manager" -W \
        -h ipaserverhostname -b cn=users,cn=accounts,dc=example,dc=com \
        krbprincipalname=ad...@example.com krbPrincipalKey

>        Yes, I'm typing the password correctly, and I get the same error
> even when I deliberately type the wrong password.

Yup, the log confirms that the password isn't a factor here.

> The /var/log/krb5kdc.log file has this repeated over and over again:
> Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
> (timestamp) verify failure: No matching key in entry

If you can retrieve the 'krbPrincipalKey' value and pipe it through
something like 'openssl asn1parse' or 'derdump', we can check which
kinds of keys you have on file for that user.  A packet capture of the
traffic between the client and the server will show us which kind of key
the client is expecting the server to have.  Between those two, we
should be able to figure out where the problem is.



Freeipa-devel mailing list

Reply via email to