[Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials (SOLVED)

Thu Feb 16 05:13:29 UTC 2012

On Thu, 2012-02-16 at 12:27 +1100, Craig T wrote:
> On Tue, Feb 14, 2012 at 04:54:51PM -0500, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > >On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
> > >>Hi,
> > >>
> > >>Server:
> > >>RHEL6.2
> > >>
> > >>
> > >>Spec:
> > >>ipa-admintools-2.1.3-9.el6.x86_64
> > >>ipa-client-2.1.3-9.el6.x86_64
> > >>ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > >>ipa-pki-common-theme-9.0.3-7.el6.noarch
> > >>ipa-python-2.1.3-9.el6.x86_64
> > >>ipa-server-2.1.3-9.el6.x86_64
> > >>ipa-server-selinux-2.1.3-9.el6.x86_64
> > >>libipa_hbac-1.5.1-66.el6_2.3.x86_64
> > >>libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
> > >>python-iniparse-0.3.1-2.1.el6.noarch
> > >>
> > >>
> > >>Error:
> > >>I had this working on Friday night, came in Monday and then this error appeared?
> > >>
> > >>kinit -V craig
> > >>Using default cache: /tmp/krb5cc_0
> > >>Using principal: craig at EXAMPLE.COM
> > >>kinit: Generic error (see e-text) while getting initial credentials
> > >>
> > >>Server Side Error:  (File: /var/log/krb5kdc.log)
> > >>Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly)
> > >>
> > >>
> > >>Usual Questions:
> > >>Should I simply reset the password?
> > >
> > >It seem like the only option to quickly recover access to your user.
> > >
> > >>Is it a bug?
> > >
> > >It may be. Did you do anything special with this user ? Did this happen
> > >immediately after a password change ? Or immediately after a FreeIPA or
> > >krb5kdc upgrade ?
> > >Can you give a little more context around this ?
> Issue Solved!
> I worked out that my LDAP Browser was changing the attribtues of "krbPrincipalKey" entry just be simply clicking on the attribute entry!! Not a good idea. 
> 
> Have a look at the before and after;
> BEFORE:
> krbPrincipalKey:: MIIBnKADAgEBoQMCAQGiAwIBAqMDAgEApIIBhDCCAYAwaKAbMBmgAwIBBK
>  ESBBCf338d3SHeIt21wwMeLtrDoUkwR6ADAgESoUAEPiAAltpeSUgnisk9RLvsAXZISub9cfbfJ
>  /SnxMWlrhrS0fUKaQYGXPXwwwslXgZ30xWfeAlLI9DztmKeqzUbMFigGzAZoAMCAQShEgQQze9p
>  5zpXYuYLOyWIljg0jaE5MDegAwIBEaEwBC4QAPa4TpZbsA1tSoUl1LMG+IljQusO8zpTD7UqNWI
>  drvYJI8Cq6rALd/jzMJKgMGCgGzAZoAMCAQShEgQQh3To4HjujECOGDHyhaoFiqFBMD+gAwIBEK
>  E4BDYYAO4F0DyDLow0cColhjsykUzH750CBFsaZfIEX1o2iPMCWlLYtRmauoW3OhejrRESemC+s
>  GUwWKAbMBmgAwIBBKESBBDF9qB45XTzfez5BfecBC/EoTkwN6ADAgEXoTAELhAAc9mgsgQnmXxX
>  qlwrLcC9U7uGePdu95xCQcW9lvRyW77rTpev6Lk4E7sXYKE=
> 
> AFTER:
> krbPrincipalKey:: MO+/vQHvv73vv70DAgEB77+9AwIBAe+/vQMCAQLvv70DAgE=
> ---

Thanks a lot for getting back to us with the cause.
Glad it wasn't our fault :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York