On Sun, Oct 25, 2009 at 10:10:08PM -0600, Jason Gerard DeRose wrote: > How do I check whether the database entry for ad...@example.com has keys > in it?
Check the user's entry in the directory server for 'krbPrincipalKey' values. The attribute isn't going to be world-readable, so you'll need to search as the KDC or the directory manager, like this: ldapsearch -x -D "cn=Directory Manager" -W \ -h ipaserverhostname -b cn=users,cn=accounts,dc=example,dc=com \ krbprincipalname=ad...@example.com krbPrincipalKey > Yes, I'm typing the password correctly, and I get the same error > even when I deliberately type the wrong password. Yup, the log confirms that the password isn't a factor here. > The /var/log/krb5kdc.log file has this repeated over and over again: > > Oct 25 21:59:21 fedora12.example.com krb5kdc(info): preauth > (timestamp) verify failure: No matching key in entry If you can retrieve the 'krbPrincipalKey' value and pipe it through something like 'openssl asn1parse' or 'derdump', we can check which kinds of keys you have on file for that user. A packet capture of the traffic between the client and the server will show us which kind of key the client is expecting the server to have. Between those two, we should be able to figure out where the problem is. HTH, Nalin _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel