[Freeipa-devel] Fedora12: Looping detected inside krb5_get_in_tkt

Jason Gerard DeRose jderose at redhat.com
Mon Oct 26 04:10:08 UTC 2009 

On Thu, 2009-10-22 at 19:57 -0400, Nalin Dahyabhai wrote:
> On Mon, Oct 12, 2009 at 10:17:21PM -0600, Jason Gerard DeRose wrote:
> > To help ensure that my new UI patch wont break our daily builds, I've
> > tried building it under Fedora 12 as it has python-assets and
> > python-wehjit.  It builds fine, but when I kinit, I get this error:
> > 
> > [root at fedora12 ~]# kinit admin at EXAMPLE.COM
> > Password for admin at EXAMPLE.COM: 
> > kinit: Looping detected inside krb5_get_in_tkt while getting initial
> > credentials
> > 
> > Anyone have any ideas?
> 
> This came up on the upstream list recently; I haven't reproduced it
> myself, but it looks like it'll happen if you fail to preauthenticate in
> a number of ways where the KDC doesn't return a more-specific error
> code.
> 
> Does the database entry for admin at EXAMPLE.COM have keys in it?
> Did you type the right password?
> Is there anything in the KDC logs that provides more detail?
> Do you have a packet capture?  The size and contents of the e-data
> returned with the error can help narrow it down.
> 
> HTH,
> 
> Nalin

How do I check whether the database entry for admin at EXAMPLE.COM has keys
in it?  Yes, I'm typing the password correctly, and I get the same error
even when I deliberately type the wrong password.

The /var/log/krb5kdc.log file has this repeated over and over again:

Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed

I'm running this on a VM that I installed from Fedora 12 alpha, but have
updated since.  I snapshot prior to building and installing freeipa, so
this is a fairly clean setup.  ipa-server-install appears to succeed,
but upon trying to kinit as admin at EXAMPLE.COM, I get the above error.

More information about the Freeipa-devel mailing list