Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)
On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
Hi,
Server:
RHEL6.2
Spec:
ipa-admintools-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
ipa-server-selinux-2.1.3-9.el6.x86_64
libipa_hbac-1.5.1-66.el6_2.3.x86_64
libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
Error:
I had this working on Friday night, came in Monday and then this error
appeared?
kinit -V craig
Using default cache: /tmp/krb5cc_0
Using principal: cr...@example.com
kinit: Generic error (see e-text) while getting initial credentials
Server Side Error: (File: /var/log/krb5kdc.log)
Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16
23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for
krbtgt/example@example.com, unable to decode stored principal key data
(ASN.1 encoding ended unexpectedly)
Usual Questions:
Should I simply reset the password?
It seem like the only option to quickly recover access to your user.
Is it a bug?
It may be. Did you do anything special with this user ? Did this happen
immediately after a password change ? Or immediately after a FreeIPA or
krb5kdc upgrade ?
Can you give a little more context around this ?
Issue Solved!
I worked out that my LDAP Browser was changing the attribtues of
krbPrincipalKey entry just be simply clicking on the attribute entry!! Not a
good idea.
Have a look at the before and after;
BEFORE:
krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK
ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ
/SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p
5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI
drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK
E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s
GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX
qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE=
AFTER:
krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE=
---
Also could you ldapsearch this user entry before you change your
password using 'cn=Directory Manager' as user in order to retrieve the
key attribute and send the ldif to me in private ? I want to see if the
key blob at least looks normal (do not worry about your password, the
key material is itself encrypted).
It might also be handy to see who last updated this entry before you
reset the password (if it isn't too late): modifyTimestamp
lastModifiedBy
Anyone else seen this error?
Haven't seen any report, and haven't ever occurred in my testing.
Simo,
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)
On Thu, 2012-02-16 at 12:27 +1100, Craig T wrote:
On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
Hi,
Server:
RHEL6.2
Spec:
ipa-admintools-2.1.3-9.el6.x86_64
ipa-client-2.1.3-9.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-python-2.1.3-9.el6.x86_64
ipa-server-2.1.3-9.el6.x86_64
ipa-server-selinux-2.1.3-9.el6.x86_64
libipa_hbac-1.5.1-66.el6_2.3.x86_64
libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
Error:
I had this working on Friday night, came in Monday and then this error
appeared?
kinit -V craig
Using default cache: /tmp/krb5cc_0
Using principal: cr...@example.com
kinit: Generic error (see e-text) while getting initial credentials
Server Side Error: (File: /var/log/krb5kdc.log)
Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16
23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for
krbtgt/example@example.com, unable to decode stored principal key
data (ASN.1 encoding ended unexpectedly)
Usual Questions:
Should I simply reset the password?
It seem like the only option to quickly recover access to your user.
Is it a bug?
It may be. Did you do anything special with this user ? Did this happen
immediately after a password change ? Or immediately after a FreeIPA or
krb5kdc upgrade ?
Can you give a little more context around this ?
Issue Solved!
I worked out that my LDAP Browser was changing the attribtues of
krbPrincipalKey entry just be simply clicking on the attribute entry!! Not
a good idea.
Have a look at the before and after;
BEFORE:
krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK
ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ
/SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p
5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI
drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK
E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s
GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX
qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE=
AFTER:
krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE=
---
Thanks a lot for getting back to us with the cause.
Glad it wasn't our fault :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
