[Freeipa-devel] Fedora12: Looping detected inside krb5_get_in_tkt
Jason Gerard DeRose
jderose at redhat.com
Mon Oct 26 04:10:08 UTC 2009
On Thu, 2009-10-22 at 19:57 -0400, Nalin Dahyabhai wrote:
> On Mon, Oct 12, 2009 at 10:17:21PM -0600, Jason Gerard DeRose wrote:
> > To help ensure that my new UI patch wont break our daily builds, I've
> > tried building it under Fedora 12 as it has python-assets and
> > python-wehjit. It builds fine, but when I kinit, I get this error:
> >
> > [root at fedora12 ~]# kinit admin at EXAMPLE.COM
> > Password for admin at EXAMPLE.COM:
> > kinit: Looping detected inside krb5_get_in_tkt while getting initial
> > credentials
> >
> > Anyone have any ideas?
>
> This came up on the upstream list recently; I haven't reproduced it
> myself, but it looks like it'll happen if you fail to preauthenticate in
> a number of ways where the KDC doesn't return a more-specific error
> code.
>
> Does the database entry for admin at EXAMPLE.COM have keys in it?
> Did you type the right password?
> Is there anything in the KDC logs that provides more detail?
> Do you have a packet capture? The size and contents of the e-data
> returned with the error can help narrow it down.
>
> HTH,
>
> Nalin
How do I check whether the database entry for admin at EXAMPLE.COM has keys
in it? Yes, I'm typing the password correctly, and I get the same error
even when I deliberately type the wrong password.
The /var/log/krb5kdc.log file has this repeated over and over again:
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
(timestamp) verify failure: No matching key in entry
Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.122.12: PREAUTH_FAILED:
admin at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Preauthentication
failed
I'm running this on a VM that I installed from Fedora 12 alpha, but have
updated since. I snapshot prior to building and installing freeipa, so
this is a fairly clean setup. ipa-server-install appears to succeed,
but upon trying to kinit as admin at EXAMPLE.COM, I get the above error.
More information about the Freeipa-devel
mailing list