[Freeipa-devel] Fedora12: Looping detected inside krb5_get_in_tkt
Nalin Dahyabhai
nalin at redhat.com
Mon Oct 26 15:38:31 UTC 2009
On Sun, Oct 25, 2009 at 10:10:08PM -0600, Jason Gerard DeRose wrote:
> How do I check whether the database entry for admin at EXAMPLE.COM has keys
> in it?
Check the user's entry in the directory server for 'krbPrincipalKey'
values. The attribute isn't going to be world-readable, so you'll need
to search as the KDC or the directory manager, like this:
ldapsearch -x -D "cn=Directory Manager" -W \
-h ipaserverhostname -b cn=users,cn=accounts,dc=example,dc=com \
krbPrincipalName=admin at EXAMPLE.COM krbPrincipalKey
> Yes, I'm typing the password correctly, and I get the same error
> even when I deliberately type the wrong password.
Yup, the log confirms that the password isn't a factor here.
> The /var/log/krb5kdc.log file has this repeated over and over again:
>
> Oct 25 21:59:21 fedora12.example.com krb5kdc[27434](info): preauth
> (timestamp) verify failure: No matching key in entry
If you can retrieve the 'krbPrincipalKey' value and pipe it through
something like 'openssl asn1parse' or 'derdump', we can check which
kinds of keys you have on file for that user. A packet capture of the
traffic between the client and the server will show us which kind of key
the client is expecting the server to have. Between those two, we
should be able to figure out where the problem is.
HTH,
Nalin
More information about the Freeipa-devel
mailing list