On Thu, 2009-10-22 at 19:57 -0400, Nalin Dahyabhai wrote:
> On Mon, Oct 12, 2009 at 10:17:21PM -0600, Jason Gerard DeRose wrote:
> > To help ensure that my new UI patch wont break our daily builds, I've
> > tried building it under Fedora 12 as it has python-assets and
> > python-wehjit. It builds fine, but when I kinit, I get this error:
> >
> > [r...@fedora12 ~]# kinit ad...@example.com
> > Password for ad...@example.com:
> > kinit: Looping detected inside krb5_get_in_tkt while getting initial
> > credentials
> >
> > Anyone have any ideas?
>
> This came up on the upstream list recently; I haven't reproduced it
> myself, but it looks like it'll happen if you fail to preauthenticate in
> a number of ways where the KDC doesn't return a more-specific error
> code.
>
> Does the database entry for ad...@example.com have keys in it?
> Did you type the right password?
> Is there anything in the KDC logs that provides more detail?
> Do you have a packet capture? The size and contents of the e-data
> returned with the error can help narrow it down.
>
> HTH,
>
> Nalin
How do I check whether the database entry for ad...@example.com has keys
in it? Yes, I'm typing the password correctly, and I get the same error
even when I deliberately type the wrong password.
The /var/log/krb5kdc.log file has this repeated over and over again:
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
ad...@example.com for krbtgt/example....@example.com, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
ad...@example.com for krbtgt/example....@example.com, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
ad...@example.com for krbtgt/example....@example.com, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
ad...@example.com for krbtgt/example....@example.com, Preauthentication
failed
I'm running this on a VM that I installed from Fedora 12 alpha, but have
updated since. I snapshot prior to building and installing freeipa, so
this is a fairly clean setup. ipa-server-install appears to succeed,
but upon trying to kinit as ad...@example.com, I get the above error.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
