Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)
On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: cr...@example.com kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for krbtgt/example@example.com, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? It seem like the only option to quickly recover access to your user. Is it a bug? It may be. Did you do anything special with this user ? Did this happen immediately after a password change ? Or immediately after a FreeIPA or krb5kdc upgrade ? Can you give a little more context around this ? Issue Solved! I worked out that my LDAP Browser was changing the attribtues of krbPrincipalKey entry just be simply clicking on the attribute entry!! Not a good idea. Have a look at the before and after; BEFORE: krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= AFTER: krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= --- Also could you ldapsearch this user entry before you change your password using 'cn=Directory Manager' as user in order to retrieve the key attribute and send the ldif to me in private ? I want to see if the key blob at least looks normal (do not worry about your password, the key material is itself encrypted). It might also be handy to see who last updated this entry before you reset the password (if it isn't too late): modifyTimestamp lastModifiedBy Anyone else seen this error? Haven't seen any report, and haven't ever occurred in my testing. Simo, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)
On Thu, 2012-02-16 at 12:27 +1100, Craig T wrote: On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: cr...@example.com kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for krbtgt/example@example.com, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? It seem like the only option to quickly recover access to your user. Is it a bug? It may be. Did you do anything special with this user ? Did this happen immediately after a password change ? Or immediately after a FreeIPA or krb5kdc upgrade ? Can you give a little more context around this ? Issue Solved! I worked out that my LDAP Browser was changing the attribtues of krbPrincipalKey entry just be simply clicking on the attribute entry!! Not a good idea. Have a look at the before and after; BEFORE: krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= AFTER: krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= --- Thanks a lot for getting back to us with the cause. Glad it wasn't our fault :-) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials
Simo Sorce wrote: On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: cr...@example.com kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for krbtgt/example@example.com, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? It seem like the only option to quickly recover access to your user. Is it a bug? It may be. Did you do anything special with this user ? Did this happen immediately after a password change ? Or immediately after a FreeIPA or krb5kdc upgrade ? Can you give a little more context around this ? Also could you ldapsearch this user entry before you change your password using 'cn=Directory Manager' as user in order to retrieve the key attribute and send the ldif to me in private ? I want to see if the key blob at least looks normal (do not worry about your password, the key material is itself encrypted). It might also be handy to see who last updated this entry before you reset the password (if it isn't too late): modifyTimestamp lastModifiedBy Anyone else seen this error? Haven't seen any report, and haven't ever occurred in my testing. Simo, ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials
Hi, Server: RHEL6.2 Spec: ipa-admintools-2.1.3-9.el6.x86_64 ipa-client-2.1.3-9.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-2.1.3-9.el6.x86_64 ipa-server-2.1.3-9.el6.x86_64 ipa-server-selinux-2.1.3-9.el6.x86_64 libipa_hbac-1.5.1-66.el6_2.3.x86_64 libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 python-iniparse-0.3.1-2.1.el6.noarch Error: I had this working on Friday night, came in Monday and then this error appeared? kinit -V craig Using default cache: /tmp/krb5cc_0 Using principal: cr...@example.com kinit: Generic error (see e-text) while getting initial credentials Server Side Error: (File: /var/log/krb5kdc.log) Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for krbtgt/example@example.com, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly) Usual Questions: Should I simply reset the password? Is it a bug? Anyone else seen this error? Regards, Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users