I changed the permissions to world readable to test, afterward I changed it back to be readable only by the owner. The problem then reappeared. [rkelly@replicahostname ~]$ ls -lZa| grep krb -r-------- root root ? krb5cc_0 -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 -r-------- apache apache ? krb5cc_48 [rkelly@replicahostname ~]$ od /tmp/krb5cc_1599100000_CUkupo od: /tmp/krb5cc_1599100000_CUkupo: Permission denied Thank You, Rashard Kelly SITA Senior Linux Specialist From: Sumit Bose <sbose@redhat.com> To: Rashard.Kelly@sita.aero Cc: Alexander Bokovoy <abokovoy@redhat.com>, freeipa-users@redhat.com Date: 04/11/2014 09:54 AM Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials <hr noshade> <tt>On Fri, Apr 11, 2014 at 09:42:41AM -0400, Rashard.Kelly@sita.aero wrote: > [root@replicahostname ~]# sestatus > SELinux status: disabled > [root@replicahostname ~]# audit2why -b -w -t avc > [root@replicahostname ~]# > > > Nothing in the audit log after audit2why came back either. That's odd. Can you read the file with od? od /tmp/krb5cc_1599100000_CUkupo don't send the output just check if it is readable of if od returns an error as well? Are there any odd filesystem permission on your klist binary like s-bit set? ls -alZ $(which klist) (her you can send the output :-) bye, Sumit > > > Thank You, > Rashard Kelly > > > > From: Alexander Bokovoy <abokovoy@redhat.com> > To: Rashard.Kelly@sita.aero > Cc: Sumit Bose <sbose@redhat.com>, freeipa-users@redhat.com > Date: 04/11/2014 09:06 AM > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > > > > On Fri, 11 Apr 2014, Rashard.Kelly@sita.aero wrote: > >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > >open("/tmp/krb5cc_1599100000_CUkupo", O_RDONLY) = -1 EACCES (Permission > >denied) > > Are you sure you don't have SELinux really running and enabled? > > Because the following output makes me really worry: > >> [root@replicahostname /tmp]# ll -Za > >> drwxrwxrwt. root root system_u:object_r:tmp_t:s0 . > >> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. > >> -rw------- rkelly rkelly ? .bash_history > >> drwxrwxrwt root root ? .ICE-unix > >> drwxrwxr-x rkelly rkelly ? .ipa > >> -r-------- root root ? krb5cc_0 > >> -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd > >> -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo > >> -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 > These rkelly:rkelly krb5cc_* files have no SELinux label and should be > readable to the owner. > > Can you show: > > [root] # sestatus > [root] # audit2why -b -w -t avc > > > -- > / Alexander Bokovoy > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > Click here to register </tt><a href=http://www.sitasummit.aero/><tt>http://www.sitasummit.aero</tt></a><tt> > > </tt> This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero