John Louis via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> Thanks so much.
>
> /var/log/krb5kdc.log only contain the following few kind of lines, not
> necessarily in chronological order, and they repeated many times, so I
> just copied one line for each kind, but keep in mind each of them
> repeated many times:

It would have been more helpful if you had posted the logfile on a
pastebin somewhere.

> krb5kdc: Invalid message type - while dispatching (udp)

You said this was all on one machine, right?  Is it perhaps network exposed?

> Jan 07 02:01:33 krb5kdc[2121](info): preauth (encrypted_timestamp) verify 
> failure: Preauthentication failed
> Jan 07 02:01:33 krb5kdc[2121](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
> 26}) 127.0.0.1: PREAUTH_FAILED: host/ipa.host.name@REALM for 
> krbtgt/REALM@REALM, Preauthentication failed
> Jan 02 20:47:04 krb5kdc[2120](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
> 26}) 127.0.0.1: CLIENT_NOT_FOUND: list@REALM for krbtgt/REALM@REALM, Client 
> not found in Kerberos database
> Jan 02 20:47:33 krb5kdc[2120](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
> 26}) 127.0.0.1: CLIENT_NOT_FOUND: root@REALM for krbtgt/REALM@REALM, Client 
> not found in Kerberos database
> Jan 06 04:16:55 krb5kdc[2121](Error): TCP client 1.3.5.17.56660 wants 
> 1195725856 bytes, cap is 1048572

That's an enormous request...

> Jan 07 01:31:42 krb5kdc[2120](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 
> 26}) 127.0.0.1: NEEDED_PREAUTH: admin@REALM for krbtgt/REALM@REALM, 
> Additional pre-authentication required
> Jan 08 04:23:49 krb5kdc[2121](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 
> 19}) 127.0.0.1: NEEDED_PREAUTH: host/ipa.host.name@REALM for 
> krbtgt/REALM@REALM, Additional pre-authentication required
> Jan 08 09:08:49 krb5kdc[2121](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 
> 19}) 127.0.0.1: ISSUE: authtime 1578492529, etypes {rep=18 tkt=18 ses=18}, 
> host/ipa.host.name@REALM for krbtgt/REALM@REALM
> Jan 08 09:08:49 krb5kdc[2120](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 
> 26}) 127.0.0.1: ISSUE: authtime 1578492529, etypes {rep=18 tkt=18 ses=18}, 
> host/ipa.host.name@REALM for ldap/ipa.host.name@REALM

I'd check the kvno on all principals against what's in their keytabs.
If that's not illuminating, we may need to look for data problems in
LDAP (which hopefully someone else can explain).

Thanks,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to