Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)
On Thu, 2012-02-16 at 12:27 +1100, Craig T wrote: > On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: > > Simo Sorce wrote: > > >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: > > >>Hi, > > >> > > >>Server: > > >>RHEL6.2 > > >> > > >> > > >>Spec: > > >>ipa-admintools-2.1.3-9.el6.x86_64 > > >>ipa-client-2.1.3-9.el6.x86_64 > > >>ipa-pki-ca-theme-9.0.3-7.el6.noarch > > >>ipa-pki-common-theme-9.0.3-7.el6.noarch > > >>ipa-python-2.1.3-9.el6.x86_64 > > >>ipa-server-2.1.3-9.el6.x86_64 > > >>ipa-server-selinux-2.1.3-9.el6.x86_64 > > >>libipa_hbac-1.5.1-66.el6_2.3.x86_64 > > >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > > >>python-iniparse-0.3.1-2.1.el6.noarch > > >> > > >> > > >>Error: > > >>I had this working on Friday night, came in Monday and then this error > > >>appeared? > > >> > > >>kinit -V craig > > >>Using default cache: /tmp/krb5cc_0 > > >>Using principal: cr...@example.com > > >>kinit: Generic error (see e-text) while getting initial credentials > > >> > > >>Server Side Error: (File: /var/log/krb5kdc.log) > > >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 > > >>23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for > > >>krbtgt/example@example.com, unable to decode stored principal key > > >>data (ASN.1 encoding ended unexpectedly) > > >> > > >> > > >>Usual Questions: > > >>Should I simply reset the password? > > > > > >It seem like the only option to quickly recover access to your user. > > > > > >>Is it a bug? > > > > > >It may be. Did you do anything special with this user ? Did this happen > > >immediately after a password change ? Or immediately after a FreeIPA or > > >krb5kdc upgrade ? > > >Can you give a little more context around this ? > Issue Solved! > I worked out that my LDAP Browser was changing the attribtues of > "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not > a good idea. > > Have a look at the before and after; > BEFORE: > krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK > ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ > /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p > 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI > drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK > E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s > GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX > qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= > > AFTER: > krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= > --- Thanks a lot for getting back to us with the cause. Glad it wasn't our fault :-) Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)
On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote: > Simo Sorce wrote: > >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote: > >>Hi, > >> > >>Server: > >>RHEL6.2 > >> > >> > >>Spec: > >>ipa-admintools-2.1.3-9.el6.x86_64 > >>ipa-client-2.1.3-9.el6.x86_64 > >>ipa-pki-ca-theme-9.0.3-7.el6.noarch > >>ipa-pki-common-theme-9.0.3-7.el6.noarch > >>ipa-python-2.1.3-9.el6.x86_64 > >>ipa-server-2.1.3-9.el6.x86_64 > >>ipa-server-selinux-2.1.3-9.el6.x86_64 > >>libipa_hbac-1.5.1-66.el6_2.3.x86_64 > >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64 > >>python-iniparse-0.3.1-2.1.el6.noarch > >> > >> > >>Error: > >>I had this working on Friday night, came in Monday and then this error > >>appeared? > >> > >>kinit -V craig > >>Using default cache: /tmp/krb5cc_0 > >>Using principal: cr...@example.com > >>kinit: Generic error (see e-text) while getting initial credentials > >> > >>Server Side Error: (File: /var/log/krb5kdc.log) > >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 > >>23}) 192.168.0.214: LOOKING_UP_CLIENT: cr...@example.com for > >>krbtgt/example@example.com, unable to decode stored principal key data > >>(ASN.1 encoding ended unexpectedly) > >> > >> > >>Usual Questions: > >>Should I simply reset the password? > > > >It seem like the only option to quickly recover access to your user. > > > >>Is it a bug? > > > >It may be. Did you do anything special with this user ? Did this happen > >immediately after a password change ? Or immediately after a FreeIPA or > >krb5kdc upgrade ? > >Can you give a little more context around this ? Issue Solved! I worked out that my LDAP Browser was changing the attribtues of "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not a good idea. Have a look at the before and after; BEFORE: krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE= AFTER: krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE= --- > > > >Also could you ldapsearch this user entry before you change your > >password using 'cn=Directory Manager' as user in order to retrieve the > >key attribute and send the ldif to me in private ? I want to see if the > >key blob at least looks normal (do not worry about your password, the > >key material is itself encrypted). > > It might also be handy to see who last updated this entry before you > reset the password (if it isn't too late): modifyTimestamp > lastModifiedBy > > > > >>Anyone else seen this error? > > > >Haven't seen any report, and haven't ever occurred in my testing. > > > >Simo, > > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users