On Thu, 2012-02-16 at 12:27 +1100, Craig T wrote: > On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: > > Simo Sorce wrote: > > >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: > > >>Hi, > > >> > > >>Server: > > >>RHEL6.2 > > >> > > >> > > >>Spec: > > >>ipa-admintools-2.1.3-9.el6.x86_64 > > >>ipa-client-2.1.3-9.el6.x86_64 > > >>ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >>ipa-pki-common-theme-9.0.3-7.el6.noarch > > >>ipa-python-2.1.3-9.el6.x86_64 > > >>ipa-server-2.1.3-9.el6.x86_64 > > >>ipa-server-selinux-2.1.3-9.el6.x86_64 > > >>libipa_hbac-1.5.1-66.el6_2.3.x86_64 > > >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > > >>python-iniparse-0.3.1-2.1.el6.noarch > > >> > > >> > > >>Error: > > >>I had this working on Friday night, came in Monday and then this error > > >>appeared? > > >> > > >>kinit -V craig > > >>Using default cache: /tmp/krb5cc_0 > > >>Using principal: [email protected] > > >>kinit: Generic error (see e-text) while getting initial credentials > > >> > > >>Server Side Error: (File: /var/log/krb5kdc.log) > > >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 > > >>23}) 192.168.0.214: LOOKING_UP_CLIENT: [email protected] for > > >>krbtgt/[email protected], unable to decode stored principal key > > >>data (ASN.1 encoding ended unexpectedly) > > >> > > >> > > >>Usual Questions: > > >>Should I simply reset the password? > > > > > >It seem like the only option to quickly recover access to your user. > > > > > >>Is it a bug? > > > > > >It may be. Did you do anything special with this user ? Did this happen > > >immediately after a password change ? Or immediately after a FreeIPA or > > >krb5kdc upgrade ? > > >Can you give a little more context around this ? > Issue Solved! > I worked out that my LDAP Browser was changing the attribtues of > "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not > a good idea. > > Have a look at the before and after; > BEFORE: > krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK > ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ > /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p > 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI > drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK > E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s > GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX > qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= > > AFTER: > krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= > ---
Thanks a lot for getting back to us with the cause. Glad it wasn't our fault :-) Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
