[Freeipa-users] kinit: Generic error (see e-text) while getting initial credentials

Rob Crittenden rcritten at redhat.com
Tue Feb 14 21:54:51 UTC 2012 

Simo Sorce wrote:
> On Mon, 2012-02-13 at 10:39 +1100, Craig T wrote:
>> Hi,
>>
>> Server:
>> RHEL6.2
>>
>>
>> Spec:
>> ipa-admintools-2.1.3-9.el6.x86_64
>> ipa-client-2.1.3-9.el6.x86_64
>> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>> ipa-pki-common-theme-9.0.3-7.el6.noarch
>> ipa-python-2.1.3-9.el6.x86_64
>> ipa-server-2.1.3-9.el6.x86_64
>> ipa-server-selinux-2.1.3-9.el6.x86_64
>> libipa_hbac-1.5.1-66.el6_2.3.x86_64
>> libipa_hbac-python-1.5.1-66.el6_2.3.x86_64
>> python-iniparse-0.3.1-2.1.el6.noarch
>>
>>
>> Error:
>> I had this working on Friday night, came in Monday and then this error appeared?
>>
>> kinit -V craig
>> Using default cache: /tmp/krb5cc_0
>> Using principal: craig at EXAMPLE.COM
>> kinit: Generic error (see e-text) while getting initial credentials
>>
>> Server Side Error:  (File: /var/log/krb5kdc.log)
>> Feb 13 10:36:04 sysvm-ipa krb5kdc[5590](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.214: LOOKING_UP_CLIENT: craig at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, unable to decode stored principal key data (ASN.1 encoding ended unexpectedly)
>>
>>
>> Usual Questions:
>> Should I simply reset the password?
>
> It seem like the only option to quickly recover access to your user.
>
>> Is it a bug?
>
> It may be. Did you do anything special with this user ? Did this happen
> immediately after a password change ? Or immediately after a FreeIPA or
> krb5kdc upgrade ?
> Can you give a little more context around this ?
>
> Also could you ldapsearch this user entry before you change your
> password using 'cn=Directory Manager' as user in order to retrieve the
> key attribute and send the ldif to me in private ? I want to see if the
> key blob at least looks normal (do not worry about your password, the
> key material is itself encrypted).

It might also be handy to see who last updated this entry before you 
reset the password (if it isn't too late): modifyTimestamp lastModifiedBy

>
>> Anyone else seen this error?
>
> Haven't seen any report, and haven't ever occurred in my testing.
>
> Simo,
>

More information about the Freeipa-users mailing list