IPA and the Stuck Cache

Went to grab a krb ticket today, and this was a fun error to get. I checked all the usual timestamp things… nothing wrong there.

[yaleman@ipaserver 15:41 ~]$ kinit
Password for yaleman@IPA.REALM:
kinit: Clock skew too great while getting initial credentials

It wasn’t happening for anyone else, and it was working earlier, so that’s weird.

This was the error in the log files, that someone helpfully grabbed:

Dec 10 15:45:08 ipaserver.ipa.realm krb5kdc[7208](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
Dec 10 15:45:08 ipaserver.ipa.realm krb5kdc[7208](info): AS_REQ (4 etypes {18 17 16 23}) 10.0.0.5: PREAUTH_FAILED: yaleman@IPA.REALM for krbtgt/IPA.REALM@IPA.REALM, Decrypt integrity check failed

I found a thread on the Kerberos mailing list about that error, which gave me some things to try.

[yaleman@ipaserver 16:10  ~]$ klist -5fea
Ticket cache: FILE:/tmp/krb5cc_1631400404
Default principal: yaleman@IPA.REALM

Valid starting     Expires            Service principal
12/09/20 15:01:57  12/09/20 23:35:22  krbtgt/IPA.REALM@IPA.REALM
    renew until 12/09/20 19:01:57, Flags: FRIA
    Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
    Addresses: (none)

Ok, so I’ve got a ticket that’s been issued in the last hour or so, maybe that’s just broken? Move it elsewhere, to see what that does.

[yaleman@ipaserver 16:11 ~]$ ls -la /tmp/krb5cc_1631400404
-rw-------. 1 yaleman yaleman 754 Dec  9 15:01 /tmp/krb5cc_1631400404
[yaleman@ipaserver 16:11 ~]$ mv /tmp/krb5cc_1631400404{,1}

Welp, it’s gone…

[yaleman@ipaserver 16:11 ~]$ klist -5fea
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1631400404)

And… test…

[yaleman@ipaserver 16:11 ~]$ kinit
Password for yaleman@IPA.REALM:
[yaleman@ipaserver 16:11 ~]$ ssh anotherserver.ipa.realm

Success!

[yaleman@anotherserver.ipa.realm ~]$ # winning!

Cached tickets, who needs ’em?



#kerberos #tickets #cache #linux #work #error