<div dir="ltr"><div><div>Help ?<br><br></div>Best regards.<br><br></div>Bahan<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 25, 2016 at 1:00 PM, bahan w <span dir="ltr"><<a href="mailto:bahanw042014@gmail.com" target="_blank">bahanw042014@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Re.<br><br></div>There is no time difference between client and server.<br><br></div><div>I checked the httpd error log and saw no errors.<br>Same with the dirsrv error logs.<br></div><div><br></div><div>Any other idea ?<br><br></div><div>By looking at the log, I'm wondering if this is a question of session ?<br><br></div><div>See there :<br></div><div>###<span class=""><br>ipa: DEBUG: args=keyctl pipe 44063864<br>ipa: DEBUG: stdout=ipa_session=26a7252e485<wbr>3374fc7439eae5926c584; Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly<br>ipa: DEBUG: stderr=<br>ipa: DEBUG: found session_cookie in persistent storage for principal '<myuser>@<myrealm>', cookie: 'ipa_session=26a7252e4853374fc<wbr>7439eae5926c584; Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly'<br>ipa: DEBUG: setting session_cookie into context 'ipa_session=26a7252e4853374fc<wbr>7439eae5926c584;'<br></span>###<br></div><div><br></div><div>At that time, it was not yet expired but there was only a few minuts before expiration (something like 10 minuts).<br></div><div>What is this persistent storage which is mentioned in the logs ? <br></div><div><br></div>Best regards.<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888">Bahan<br><div><div><br><br></div></div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky <span dir="ltr"><<a href="mailto:mbabinsk@redhat.com" target="_blank">mbabinsk@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_-664424793101005599HOEnZb"><div class="m_-664424793101005599h5">On 10/25/2016 10:27 AM, bahan w wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_-664424793101005599h5">
Hello everyone !<br>
<br>
I have an ipa server and an ipa client both in 3.0.0-47.<br>
<br>
In order to connect via SSH to the host of the ipa-client, I use root.<br>
When I'm connected to the ipa-client via ssh being root, I do a kinit of<br>
a user with a keytab :<br>
###<br>
kinit -kt /etc/security/keytabs/<myuser><wbr>.headless.keytab <myuser><br>
###<br>
<br>
And sometimes, once I have the TGT, when I do just an ipa user-show, I<br>
got the following error :<br>
###<br>
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI<br>
Error: Unspecified GSS failure. Minor code may provide more information<br>
(Ticket expired)<br>
###<br>
<br>
When I check the ticket, it is not expired :<br>
###<br>
# klist<br>
Ticket cache: FILE:/tmp/krb5cc_root_<myuser><br>
Default principal: <myuser>@<myrealm><br>
<br>
Valid starting Expires Service principal<br>
10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/<myrealm>@<myrealm><br>
###<br>
<br>
Do you know from where it can come and how I can solve this error please ?<br>
<br>
Here is more information with the debug option :<br>
###<br>
ipa -d user-show <myuser2><br>
###<br>
<br>
Result :<br>
###<br>
ipa: DEBUG: importing all plugin modules in<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins'...<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/aci.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/automember.<wbr>py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/automount.p<wbr>y'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/baseldap.py<wbr>'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/batch.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/cert.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/config.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/delegation.<wbr>py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/dns.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/group.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/hbacrule.py<wbr>'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/hbacsvc.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/hbacsvcgrou<wbr>p.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/hbactest.py<wbr>'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/host.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/hostgroup.p<wbr>y'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/idrange.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/internal.py<wbr>'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/kerberos.py<wbr>'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/krbtpolicy.<wbr>py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/migration.p<wbr>y'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/misc.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/netgroup.py<wbr>'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/passwd.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/permission.<wbr>py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/ping.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/privilege.p<wbr>y'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/pwpolicy.py<wbr>'<br>
ipa: DEBUG: args=klist -V<br>
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3<br>
<br>
ipa: DEBUG: stderr=<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/role.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/selfservice<wbr>.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/selinuxuser<wbr>map.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/service.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/sudocmd.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/sudocmdgrou<wbr>p.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/sudorule.py<wbr>'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/trust.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/user.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/virtual.py'<br>
ipa: DEBUG: importing plugin module<br>
'/usr/lib/python2.6/site-packa<wbr>ges/ipalib/plugins/xmlclient.p<wbr>y'<br>
ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<myuser>@<m<wbr>yrealm><br>
ipa: DEBUG: stdout=44063864<br>
<br>
ipa: DEBUG: stderr=<br>
ipa: DEBUG: args=keyctl pipe 44063864<br>
ipa: DEBUG: stdout=ipa_session=26a7252e485<wbr>3374fc7439eae5926c584;<br>
Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;<br>
Secure; HttpOnly<br>
ipa: DEBUG: stderr=<br>
ipa: DEBUG: found session_cookie in persistent storage for principal<br>
'<myuser>@<myrealm>', cookie:<br>
'ipa_session=26a7252e4853374fc<wbr>7439eae5926c584; Domain=<ipa-host>;<br>
Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly'<br>
ipa: DEBUG: setting session_cookie into context<br>
'ipa_session=26a7252e4853374fc<wbr>7439eae5926c584;'<br>
ipa: INFO: trying https://<ipa-host>/ipa/session<wbr>/xml<br>
ipa: DEBUG: Created connection context.xmlclient<br>
ipa: DEBUG: raw: user_show(u'<myuser2>', rights=False, all=False,<br>
raw=False, version=u'2.49', no_members=False)<br>
ipa: DEBUG: user_show(u'<myuser2>', rights=False, all=False, raw=False,<br>
version=u'2.49', no_members=False)<br>
ipa: INFO: Forwarding 'user_show' to server<br>
u'https://<ipa-host>/ipa/sessi<wbr>on/xml'<br>
ipa: DEBUG: NSSConnection init <ipa-host><br></div></div>
ipa: DEBUG: Connecting: <a href="http://10.79.28.51:0" rel="noreferrer" target="_blank">10.79.28.51:0</a> <<a href="http://10.79.28.51:0" rel="noreferrer" target="_blank">http://10.79.28.51:0</a>><div><div class="m_-664424793101005599h5"><br>
ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False<br>
Data:<br>
Version: 3 (0x2)<br>
Serial Number: 10 (0xa)<br>
Signature Algorithm:<br>
Algorithm: PKCS #1 SHA-256 With RSA Encryption<br>
Issuer: CN=Certificate Authority,O=<myrealm><br>
Validity:<br>
Not Before: Mon Nov 23 13:01:37 2015 UTC<br>
Not After: Thu Nov 23 13:01:37 2017 UTC<br>
Subject: CN=<ipa-host>,O=<myrealm><br>
Subject Public Key Info:<br>
Public Key Algorithm:<br>
Algorithm: PKCS #1 RSA Encryption<br>
RSA Public Key:<br>
Modulus:<br>
f4:df:8e:0c:39:ff:37:ba:64:90:<wbr>b8:90:85:98:b9:b2:<br>
8d:1f:81:3e:ce:de:84:87:51:f9:<wbr>48:c1:27:8e:00:86:<br>
90:d8:1c:1c:b2:d5:03:7e:29:a1:<wbr>6d:f2:06:fd:26:8c:<br>
f5:b6:8e:80:aa:0d:47:ea:82:74:<wbr>30:9b:78:34:6d:62:<br>
c5:ba:a6:05:3b:56:a7:b2:0a:88:<wbr>35:9f:6b:cc:80:f8:<br>
c9:15:08:5e:6c:36:98:09:80:3f:<wbr>75:e9:69:3d:c1:22:<br>
22:ce:15:5f:f8:c4:a3:db:79:92:<wbr>57:ae:6d:5f:82:15:<br>
fc:3c:c9:b6:10:58:36:71:03:91:<wbr>19:cd:bb:5a:f3:9b:<br>
e0:4a:cf:a6:43:30:b2:71:99:56:<wbr>28:3f:7f:60:b3:fc:<br>
e0:84:7b:cc:ef:63:b1:5d:0a:32:<wbr>94:db:74:7b:a2:7c:<br>
52:db:fb:12:fb:3e:14:fe:f1:9b:<wbr>9c:e9:42:c2:7e:03:<br>
a5:1d:ab:c1:75:06:a0:b4:50:5b:<wbr>27:1c:c6:5a:27:62:<br>
73:74:70:22:16:03:15:dc:f3:6c:<wbr>de:1d:02:d7:de:03:<br>
ca:1e:d1:9d:c1:25:59:84:e1:f6:<wbr>b4:a0:8c:c6:b0:e0:<br>
74:ce:2f:9f:50:e9:b5:d9:d5:f3:<wbr>fa:7d:57:84:c3:59:<br>
75:e9:6e:7d:0e:97:8b:a0:15:f2:<wbr>4b:31:cc:ca:5c:45<br>
Exponent:<br>
65537 (0x10001)<br>
Signed Extensions: (5 total)<br>
Name: Certificate Authority Key Identifier<br>
Critical: False<br>
Key ID:<br>
39:76:7e:02:f1:99:28:b5:e4:c4:<wbr>a5:cb:c5:4a:7a:50:<br>
f7:7f:85:85<br>
Serial Number: None<br>
General Names: [0 total]<br>
<br>
Name: Authority Information Access<br>
Critical: False<br>
Authority Information Access: [1 total]<br>
Info [1]:<br>
Method: PKIX Online Certificate Status Protocol<br>
Location: URI: http://<ipa-host>:80/ca/ocsp<br>
<br>
Name: Certificate Key Usage<br>
Critical: True<br>
Usages:<br>
Digital Signature<br>
Non-Repudiation<br>
Key Encipherment<br>
Data Encipherment<br>
<br>
Name: Extended Key Usage<br>
Critical: False<br>
Usages:<br>
TLS Web Server Authentication Certificate<br>
TLS Web Client Authentication Certificate<br>
<br>
Name: Certificate Subject Key ID<br>
Critical: False<br>
Data:<br>
30:7d:c4:6f:01:e9:45:84:12:83:<wbr>97:9c:34:42:c1:d1:<br>
ad:84:68:8b<br>
<br>
Signature:<br>
Signature Algorithm:<br>
Algorithm: PKCS #1 SHA-256 With RSA Encryption<br>
Signature:<br>
99:8f:05:f4:14:64:5e:8a:b3:cc:<wbr>6d:b8:b1:b1:17:1c:<br>
a1:28:37:da:5a:1e:17:6c:61:5d:<wbr>d4:a9:52:15:0a:8c:<br>
bc:9d:14:35:f0:b7:1a:0c:53:fa:<wbr>05:5d:fa:56:1f:ea:<br>
23:be:b3:20:0a:30:dc:ae:e5:a6:<wbr>4d:bf:35:4a:91:11:<br>
f6:fd:73:c5:55:e7:83:52:b0:f1:<wbr>9b:83:c2:b3:48:ea:<br>
5e:21:aa:a0:2d:fb:78:cb:35:d8:<wbr>20:02:c2:1c:8d:a1:<br>
8a:f5:72:81:c5:35:f5:36:3e:3e:<wbr>5e:02:4b:4e:34:97:<br>
0f:b6:80:e2:90:1e:f9:55:41:79:<wbr>f9:78:e6:d7:43:14:<br>
50:f7:39:e2:e8:7f:0a:89:95:08:<wbr>94:7e:dd:ca:9d:ba:<br>
f8:9c:6f:24:48:5c:92:53:9d:cd:<wbr>aa:91:91:6e:db:1e:<br>
df:54:3c:0b:ce:57:07:26:32:70:<wbr>f9:ba:fd:ad:b2:7a:<br>
a6:1b:d1:a5:c9:30:1d:fa:f6:1d:<wbr>8a:b0:71:ca:4d:9b:<br>
41:2b:7c:43:80:54:a3:32:65:d8:<wbr>48:fe:87:a2:15:a7:<br>
14:f0:bb:f9:65:cd:7e:a9:03:a7:<wbr>3c:f3:d1:73:f7:1b:<br>
a1:e7:51:66:39:ba:6c:a9:6d:1d:<wbr>33:b0:3b:63:04:4c:<br>
79:cc:16:ce:5f:9f:b1:c5:01:47:<wbr>72:88:0c:e2:69:ef<br>
Fingerprint (MD5):<br>
7c:3d:5b:37:da:62:e4:a1:da:57:<wbr>e5:66:5a:f0:15:53<br>
Fingerprint (SHA1):<br>
2e:83:f0:14:cf:ca:c3:f5:6c:8e:<wbr>fa:01:79:94:ec:90:<br>
75:81:d5:0b<br>
ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server<br>
ipa: DEBUG: cert valid True for "CN=<ipa-host>,O=<myrealm>"<br>
ipa: DEBUG: handshake complete, peer = <IP>:443<br>
ipa: DEBUG: Protocol: TLS1.2<br>
ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA<br>
ipa: DEBUG: Caught fault 2100 from server<br>
https://<ipa-host>/ipa/session<wbr>/xml: Insufficient access: SASL(-1):<br>
generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may<br>
provide more information (Ticket expired)<br>
ipa: DEBUG: Destroyed connection context.xmlclient<br>
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI<br>
Error: Unspecified GSS failure. Minor code may provide more information<br>
(Ticket expired)<br>
###<br>
<br>
Any guidance about where it can come from or what to do ?<br>
<br>
>From the ipa-server, in the krb5kdc.log, I found sometimes this kind of<br>
emssage :<br>
###<br>
Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...<br>
CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm><br>
Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...<br>
CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm><br>
###<br>
<br>
Best regards.<br>
<br>
Bahan<br>
<br>
<br>
</div></div></blockquote>
<br>
I would firstly check the time difference between client and IPA server. If the time skew is too grea all sorts of errors can pop up regarding Kerberos authentication.<br>
<br>
I would also check /var/log/http/error_log and /var/log/dirsrv/slapd-<REALM>/<wbr>errors for additional info. I suspect there is something wrong with the keytab of HTTP principal on the IPA server.<span class="m_-664424793101005599HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Martin^3 Babinsky<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>