[Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials

[Simo Sorce]

On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
> Hi,
> 
> Server:
> RHEL6.2
> 
> 
> Spec:
> ipa-admintools-2.1.3-9.el6.x86_64
> ipa-client-2.1.3-9.el6.x86_64
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
> ipa-pki-common-theme-9.0.3-7.el6.noarch
> ipa-python-2.1.3-9.el6.x86_64
> ipa-server-2.1.3-9.el6.x86_64
> ipa-server-selinux-2.1.3-9.el6.x86_64
> libipa_hbac-1.5.1-66.el6_2.3.x86_64
> libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
> python-iniparse-0.3.1-2.1.el6.noarch
> 
> 
> Error:
> I had this working on Friday night, came in Monday and then this error appeared?
> 
> kinit -V craig
> Using default cache: /tmp/krb5cc_0
> Using principal: craig at EXAMPLE.COM
> kinit: Generic error (see e-text) while getting initial credentials
> 
> Server Side Error:  (File: /var/log/krb5kdc.log)
> Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly)
> 
> 
> Usual Questions:
> Should I simply reset the password? 

It seem like the only option to quickly recover access to your user.

> Is it a bug? 

It may be. Did you do anything special with this user ? Did this happen
immediately after a password change ? Or immediately after a FreeIPA or
krb5kdc upgrade ?
Can you give a little more context around this ?

Also could you ldapsearch this user entry before you change your
password using 'cn=Directory Manager' as user in order to retrieve the
key attribute and send the ldif to me in private ? I want to see if the
key blob at least looks normal (do not worry about your password, the
key material is itself encrypted).

> Anyone else seen this error?

Haven't seen any report, and haven't ever occurred in my testing.

Simo,

-- 
Simo Sorce * Red Hat, Inc * New York