[Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

[Alexander Bokovoy]

On Thu, 10 Apr 2014, Rashard.Kelly at sita.aero wrote:
>Hello all
>
>
>When I try to execute and commands from the an ipa-replica I get
>
>[rkelly at replicahostname ~]$ ipa user-find
>ipa: ERROR: did not receive Kerberos credentials
>[rkelly at replicahostname ~]$ kinit
>Password for rkelly at IPA2.DC.SITA.AERO:
>[rkelly at replicahostname ~]$ ipa user-find
>ipa: ERROR: did not receive Kerberos credentials
>[rkelly at replicahostname ~]$ klist
>klist: Credentials cache permissions incorrect while setting cache flags
>(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v)
>
>I thought perhaps the two are out of sync
>[root at replicahostname ~]# ipa-replica-manage re-initialize --from
>liipaxs010p.ipa2.dc.sita.aero
>Invalid password
>
>
>ipa-replica-conncheck says communication is ok.
>
>I looked at the httpd, secure,and krb log and none show any activity when
>I execute the commands above. Im lost any clues as to where I can look for
>answers?
Let's put IPA commands aside and first find out what's wrong with your
Kerberos infra. Looking at your ticket cache file name
(FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this
machine via SSH and the ticket cache is created by the sshd or sssd.

The message you received out of klist is shown if ccache file is either:
  - unaccessible for the user
  - is a directory rather than a file
  - is a broken symlink
  - blocked by some app with explusive locks
  - cannot be open for a write

Please provide output of 
$ cat /proc/mounts | grep /tmp
$ echo $KRB5CCNAME
$ ls -lZ /tmp/krb5cc_1599100000_qojy7v
$ KRB5_TRACE=/dev/stderr kinit
$ KRB5_TRACE=/dev/stderr klist

You can temporarily overcome this issue by selecting a different ticket
cache by setting KRB5CCNAME environmental variable:

$ export KRB5CCNAME=$HOME/.krb5cc
$ kinit
$ ipa user-find
...

However, it would be good to solve the issue to avoid repeating these problems



-- 
/ Alexander Bokovoy