John Louis via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Thanks so much.
/var/log/krb5kdc.log only contain the following few kind of lines, not
necessarily in chronological order, and they repeated many times, so I
just copied one line for each kind, but keep in mind each of them
repeated many times:
It would have been more helpful if you had posted the logfile on a
pastebin somewhere.
krb5kdc: Invalid message type - while dispatching (udp)
You said this was all on one machine, right? Is it perhaps network exposed?
Jan 07 02:01:33 krb5kdc[2121](info): preauth (encrypted_timestamp)
verify failure: Preauthentication failed
Jan 07 02:01:33 krb5kdc[2121](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: PREAUTH_FAILED: host/ipa.host.name@REALM for krbtgt/REALM@REALM,
Preauthentication failed
Jan 02 20:47:04 krb5kdc[2120](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: CLIENT_NOT_FOUND: list@REALM for krbtgt/REALM@REALM, Client not found in
Kerberos database
Jan 02 20:47:33 krb5kdc[2120](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: CLIENT_NOT_FOUND: root@REALM for krbtgt/REALM@REALM, Client not found in
Kerberos database
Jan 06 04:16:55 krb5kdc[2121](Error): TCP client 1.3.5.17.56660 wants 1195725856 bytes,
cap is 1048572
That's an enormous request...
Jan 07 01:31:42 krb5kdc[2120](info): AS_REQ (8 etypes {18 17 20 19 16
23 25 26}) 127.0.0.1: NEEDED_PREAUTH: admin@REALM for krbtgt/REALM@REALM, Additional
pre-authentication required
Jan 08 04:23:49 krb5kdc[2121](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19})
127.0.0.1: NEEDED_PREAUTH: host/ipa.host.name@REALM for krbtgt/REALM@REALM, Additional
pre-authentication required
Jan 08 09:08:49 krb5kdc[2121](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19})
127.0.0.1: ISSUE: authtime 1578492529, etypes {rep=18 tkt=18 ses=18},
host/ipa.host.name@REALM for krbtgt/REALM@REALM
Jan 08 09:08:49 krb5kdc[2120](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26})
127.0.0.1: ISSUE: authtime 1578492529, etypes {rep=18 tkt=18 ses=18},
host/ipa.host.name@REALM for ldap/ipa.host.name@REALM
I'd check the kvno on all principals against what's in their keytabs.
If that's not illuminating, we may need to look for data problems in
LDAP (which hopefully someone else can explain).
Thanks,
--Robbie