[Freeipa-devel] Strange issue I keep hitting with invalid tickets
Michael Gregg
mgregg at redhat.com
Wed Aug 1 18:50:10 UTC 2012
On 08/01/2012 07:37 AM, Simo Sorce wrote:
> On Tue, 2012-07-31 at 14:50 -0700, Michael Gregg wrote:
>> I am not sure why, but when I let my ipa machines sit around for a
>> while(overnight-24hours), and then kinit. When I try to run IPA commands
>> I get output like this:
>>
>> [root at zippyvm12 ~]# ipa host-find
>> ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more information
>> (Ticket not yet valid)
>>
>> This issue seems to be addressed here:
>>
>> https://access.redhat.com/knowledge/solutions/133433
>>
>> It's strange, because when I kinit again, I seem to have a valid
>> credentials, like here:
>>
>> [root at zippyvm12 ~]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at TESTRELM.COM
>> Valid starting Expires Service principal
>> 07/31/12 17:31:16 08/01/12 17:31:14 krbtgt/TESTRELM.COM at TESTRELM.COM
>> 07/31/12 17:32:39 08/01/12 17:31:14
>> HTTP/zippyvm12.testrelm.com at TESTRELM.COM
>>
>>
>> The work around for me seems to be deleting /tmp/krb5*
>> Then, I kinit again, and it all starts to work again.
>>
>> My question is, why is this happening? Any ideas?
> On what distro/krb5 libs version ?
>
> We fixed a bug where krb5 was badly using the timestamp in the cache and
> thus sometimes failing to properly set the clock skew in the request.
>
> You may be falling for the same bug (normally you'd see this with
> krb5-auth-dialog when it tried to renew tickets).
>
> Simo.
>
distro is rhel6.3
krb5-libs-1.9-33.el6.x86_64
Was the fix included later than this version?
Michael-
More information about the Freeipa-devel
mailing list