IPA and the Stuck Cache

Went to grab a krb ticket today, and this was a fun error to get. I checked all the usual timestamp things… nothing wrong there.

[[email protected] 15:41 ~]$ kinit
Password for [email protected]:
kinit: Clock skew too great while getting initial credentials

It wasn’t happening for anyone else, and it was working earlier, so that’s weird.

This was the error in the log files, that someone helpfully grabbed:

Dec 10 15:45:08 ipaserver.ipa.realm krb5kdc[7208](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed
Dec 10 15:45:08 ipaserver.ipa.realm krb5kdc[7208](info): AS_REQ (4 etypes {18 17 16 23}) PREAUTH_FAILED: [email protected] for krbtgt/[email protected], Decrypt integrity check failed

I found a thread on the Kerberos mailing list about that error, which gave me some things to try.

[[email protected] 16:10  ~]$ klist -5fea
Ticket cache: FILE:/tmp/krb5cc_1631400404
Default principal: [email protected]

Valid starting     Expires            Service principal
12/09/20 15:01:57  12/09/20 23:35:22  krbtgt/[email protected]
    renew until 12/09/20 19:01:57, Flags: FRIA
    Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
    Addresses: (none)

Ok, so I’ve got a ticket that’s been issued in the last hour or so, maybe that’s just broken? Move it elsewhere, to see what that does.

[[email protected] 16:11 ~]$ ls -la /tmp/krb5cc_1631400404
-rw-------. 1 yaleman yaleman 754 Dec  9 15:01 /tmp/krb5cc_1631400404
[[email protected] 16:11 ~]$ mv /tmp/krb5cc_1631400404{,1}

Welp, it’s gone…

[[email protected] 16:11 ~]$ klist -5fea
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1631400404)

And… test…

[[email protected] 16:11 ~]$ kinit
Password for [email protected]:
[[email protected] 16:11 ~]$ ssh anotherserver.ipa.realm


[[email protected] ~]$ # winning!

Cached tickets, who needs ‘em?

#kerberos #tickets #cache #linux #work #error