On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: > Simo Sorce wrote: > >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: > >>Hi, > >> > >>Server: > >>RHEL6.2 > >> > >> > >>Spec: > >>ipa-admintools-2.1.3-9.el6.x86_64 > >>ipa-client-2.1.3-9.el6.x86_64 > >>ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>ipa-pki-common-theme-9.0.3-7.el6.noarch > >>ipa-python-2.1.3-9.el6.x86_64 > >>ipa-server-2.1.3-9.el6.x86_64 > >>ipa-server-selinux-2.1.3-9.el6.x86_64 > >>libipa_hbac-1.5.1-66.el6_2.3.x86_64 > >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > >>python-iniparse-0.3.1-2.1.el6.noarch > >> > >> > >>Error: > >>I had this working on Friday night, came in Monday and then this error > >>appeared? > >> > >>kinit -V craig > >>Using default cache: /tmp/krb5cc_0 > >>Using principal: cr...@example.com > >>kinit: Generic error (see e-text) while getting initial credentials > >> > >>Server Side Error: (File: /var/log/krb5kdc.log) > >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 > >>23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for > >>krbtgt/example....@example.com, unable to decode stored principal key data > >>(ASN.1 encoding ended unexpectedly) > >> > >> > >>Usual Questions: > >>Should I simply reset the password? > > > >It seem like the only option to quickly recover access to your user. > > > >>Is it a bug? > > > >It may be. Did you do anything special with this user ? Did this happen > >immediately after a password change ? Or immediately after a FreeIPA or > >krb5kdc upgrade ? > >Can you give a little more context around this ? Issue Solved! I worked out that my LDAP Browser was changing the attribtues of "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not a good idea.
Have a look at the before and after; BEFORE: krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= AFTER: krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= --- > > > >Also could you ldapsearch this user entry before you change your > >password using 'cn=Directory Manager' as user in order to retrieve the > >key attribute and send the ldif to me in private ? I want to see if the > >key blob at least looks normal (do not worry about your password, the > >key material is itself encrypted). > > It might also be handy to see who last updated this entry before you > reset the password (if it isn't too late): modifyTimestamp > lastModifiedBy > > > > >>Anyone else seen this error? > > > >Haven't seen any report, and haven't ever occurred in my testing. > > > >Simo, > > > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users