[Freeipa-devel] Strange issue I keep hitting with invalid tickets

[Simo Sorce]

On Wed, 2012-08-01 at 11:50 -0700, Michael Gregg wrote:
> On 08/01/2012 07:37 AM, Simo Sorce wrote:
> > On Tue, 2012-07-31 at 14:50 -0700, Michael Gregg wrote:
> >> I am not sure why, but when I let my ipa machines sit around for a
> >> while(overnight-24hours), and then kinit. When I try to run IPA commands
> >> I get output like this:
> >>
> >> [root at zippyvm12 ~]# ipa host-find
> >> ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error:
> >> Unspecified GSS failure.  Minor code may provide more information
> >> (Ticket not yet valid)
> >>
> >> This issue seems to be addressed here:
> >>
> >> https://access.redhat.com/knowledge/solutions/133433
> >>
> >> It's strange, because when I kinit again, I seem to have a valid
> >> credentials, like here:
> >>
> >> [root at zippyvm12 ~]# klist
> >> Ticket cache: FILE:/tmp/krb5cc_0
> >> Default principal: admin at TESTRELM.COM
> >> Valid starting     Expires            Service principal
> >> 07/31/12 17:31:16  08/01/12 17:31:14  krbtgt/TESTRELM.COM at TESTRELM.COM
> >> 07/31/12 17:32:39  08/01/12 17:31:14 
> >> HTTP/zippyvm12.testrelm.com at TESTRELM.COM
> >>
> >>
> >> The work around for me seems to be deleting /tmp/krb5*
> >> Then, I kinit again, and it all starts to work again.
> >>
> >> My question is, why is this happening? Any ideas?
> > On what distro/krb5 libs version ?
> >
> > We fixed a bug where krb5 was badly using the timestamp in the cache and
> > thus sometimes failing to properly set the clock skew in the request.
> >
> > You may be falling for the same bug (normally you'd see this with
> > krb5-auth-dialog when it tried to renew tickets).
> >
> > Simo.
> >
> distro is rhel6.3
> krb5-libs-1.9-33.el6.x86_64
> 
> Was the fix included later than this version?
> 
> Michael-
> 

This is the bug I am thinking of:
https://bugzilla.redhat.com/show_bug.cgi?id=773496

Apparently it is scheduled for 6.4, and not yet fixed in 6.3

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York