[Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)

Thu Feb 16 01:27:54 UTC 2012

On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
> >>Hi,
> >>
> >>Server:
> >>RHEL6.2
> >>
> >>
> >>Spec:
> >>ipa-admintools-2.1.3-9.el6.x86_64
> >>ipa-client-2.1.3-9.el6.x86_64
> >>ipa-pki-ca-theme-9.0.3-7.el6.noarch
> >>ipa-pki-common-theme-9.0.3-7.el6.noarch
> >>ipa-python-2.1.3-9.el6.x86_64
> >>ipa-server-2.1.3-9.el6.x86_64
> >>ipa-server-selinux-2.1.3-9.el6.x86_64
> >>libipa_hbac-1.5.1-66.el6_2.3.x86_64
> >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
> >>python-iniparse-0.3.1-2.1.el6.noarch
> >>
> >>
> >>Error:
> >>I had this working on Friday night, came in Monday and then this error appeared?
> >>
> >>kinit -V craig
> >>Using default cache: /tmp/krb5cc_0
> >>Using principal: craig at EXAMPLE.COM
> >>kinit: Generic error (see e-text) while getting initial credentials
> >>
> >>Server Side Error:  (File: /var/log/krb5kdc.log)
> >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly)
> >>
> >>
> >>Usual Questions:
> >>Should I simply reset the password?
> >
> >It seem like the only option to quickly recover access to your user.
> >
> >>Is it a bug?
> >
> >It may be. Did you do anything special with this user ? Did this happen
> >immediately after a password change ? Or immediately after a FreeIPA or
> >krb5kdc upgrade ?
> >Can you give a little more context around this ?
Issue Solved!
I worked out that my LDAP Browser was changing the attribtues of "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not a good idea. 

Have a look at the before and after;
BEFORE:
krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK
 ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ
 /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p
 5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI
 drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK
 E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s
 GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX
 qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE=

AFTER:
krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE=
---

> >
> >Also could you ldapsearch this user entry before you change your
> >password using 'cn=Directory Manager' as user in order to retrieve the
> >key attribute and send the ldif to me in private ? I want to see if the
> >key blob at least looks normal (do not worry about your password, the
> >key material is itself encrypted).
> 
> It might also be handy to see who last updated this entry before you
> reset the password (if it isn't too late): modifyTimestamp
> lastModifiedBy
> 
> >
> >>Anyone else seen this error?
> >
> >Haven't seen any report, and haven't ever occurred in my testing.
> >
> >Simo,
> >
>