[Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
Rashard.Kelly at sita.aero
Rashard.Kelly at sita.aero
Thu Apr 10 15:55:05 UTC 2014
I can run commands after changing the permissions on the files, but why is
it generating files that are not world readable?
[rkelly at replicahostname ~]$ ll
total 84
-rw-r--r-- 1 root root 2428 Apr 9 22:34 krb5cc_0
-rw-r--r-- 1 xs05144 xs05144 1146 Apr 3 16:10 krb5cc_1599000020_u5RRhd
-rw-r--r-- 1 rkelly rkelly 569 Apr 10 15:14 krb5cc_1599100000_CUkupo
-rw-r--r-- 1 rkelly rkelly 1873 Apr 9 23:40 krb5cc_1599100000_ZekyY0
-rw-r--r-- 1 apache apache 662 Apr 10 06:02 krb5cc_48
[rkelly at replicahostname ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1599100000_CUkupo
Default principal: rkelly at DOMAIN
Valid starting Expires Service principal
04/10/14 15:14:40 04/11/14 15:14:40 krbtgt/IPA2.DC.SITA.AERO at DOMAIN
[rkelly at replicahostname ~]$ ipa user-find kelly
--------------
1 user matched
--------------
User login: rkelly
First name: Rashard
Last name: KElly
Home directory: /home/rkelly
Login shell: /bin/sh
Email address: rkelly at domain
UID: 1599100000
GID: 1599100000
Account disabled: False
Password: True
Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
Thank You,
Rashard Kelly
From: Rashard.Kelly at sita.aero
To: Alexander Bokovoy <abokovoy at redhat.com>
Cc: freeipa-users at redhat.com
Date: 04/10/2014 08:42 AM
Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos
credentials
Sent by: freeipa-users-bounces at redhat.com
The krb5 files are not readable by everyone. There are multiple krb5 files
in tmp, should they automatically be readable by all? BTW our users do not
have home directories if that makes a difference.
[rkelly at replicahostname ~]$ ls -lZ /tmp |grep krb
-rw------- root root ? krb5cc_0
-rw------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
-rw------- rkelly rkelly ? krb5cc_1599100000_oKtZFE
-rw------- rkelly rkelly ? krb5cc_1599100000_ZekyY0
-rw------- apache apache ? krb5cc_48
ipa-server-selinux-3.0.0-37.el6.x86_64
ipa-client-3.0.0-37.el6.x86_64
ipa-server-3.0.0-37.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
ipa-python-3.0.0-37.el6.x86_64
ipa-admintools-3.0.0-37.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
libipa_hbac-1.9.2-129.el6_5.4.x86_64
python-iniparse-0.3.1-2.1.el6.noarch
[rkelly at replicahostname ~]$ cat /proc/mounts | grep /tmp
/dev/mapper/system-tmp_vol /tmp ext4 rw,relatime,barrier=1,data=ordered 0
0
[rkelly at replicahostname ~]$ echo $KRB5CCNAME
FILE:/tmp/krb5cc_1599100000_oKtZFE
[rkelly at replicahostname ~]$ ls -lZ /tmp/krb5cc_1599100000_oKtZFE
-rw------- rkelly rkelly ? /tmp/krb5cc_1599100000_oKtZFE
[rkelly at replicahostname ~]$ KRB5_TRACE=/dev/stderr kinit
[14559] 1397132474.221287: Getting initial credentials for rkelly at DOMAIN
[14559] 1397132474.221510: Sending request (191 bytes) to DOMAIN
[14559] 1397132474.221677: Sending initial UDP request to dgram
10.228.20.25:88
[14559] 1397132474.225248: Received answer from dgram 10.228.20.25:88
[14559] 1397132474.225287: Response was from master KDC
[14559] 1397132474.225306: Received error from KDC: -1765328359/Additional
pre-authentication required
[14559] 1397132474.225331: Processing preauth types: 136, 19, 2, 133
[14559] 1397132474.225343: Selected etype info: etype aes256-cts, salt
"IPA2.DC.SITA.AEROrkelly", params ""
[14559] 1397132474.225346: Received cookie: MIT
Password for rkelly at DOMAIN:
[14559] 1397132484.255381: AS key obtained for encrypted timestamp:
aes256-cts/DBF7
[14559] 1397132484.255432: Encrypted timestamp (for 1397132484.255390):
plain 301AA011180F32303134303431303132323132345AA105020303E59E, encrypted
321A6A1E297880D1E2D1BF069D6D44136D7A2A0D3AAFC3209CB9B4E5BAAE59E928559E47FD0A140F68D377A8398D7CAB4B735D0612247A7C
[14559] 1397132484.255453: Preauth module encrypted_timestamp (2)
(flags=1) returned: 0/Success
[14559] 1397132484.255457: Produced preauth for next request: 133, 2
[14559] 1397132484.255474: Sending request (286 bytes) to DOMAIN (master)
[14559] 1397132484.255560: Sending initial UDP request to dgram
10.228.20.25:88
[14559] 1397132484.262563: Received answer from dgram 10.228.20.25:88
[14559] 1397132484.262593: Processing preauth types: 19
[14559] 1397132484.262600: Selected etype info: etype aes256-cts, salt
"DOMAINrkelly", params ""
[14559] 1397132484.262603: Produced preauth for next request: (empty)
[14559] 1397132484.262609: AS key determined by preauth: aes256-cts/DBF7
[14559] 1397132484.262650: Decrypted AS reply; session key is:
aes256-cts/B097
[14559] 1397132484.262664: FAST negotiation: available
[14559] 1397132484.262681: Initializing FILE:/tmp/krb5cc_1599100000_oKtZFE
with default princ rkelly at DOMAIN
[rkelly at replicahostname ~]$ KRB5_TRACE=/dev/stderr klist
klist: Credentials cache permissions incorrect while setting cache flags
(ticket cache FILE:/tmp/krb5cc_1599100000_oKtZFE)
--
Thank You,
Rashard Kelly
From: Alexander Bokovoy <abokovoy at redhat.com>
To: Rashard.Kelly at sita.aero
Cc: freeipa-users at redhat.com
Date: 04/10/2014 03:25 AM
Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos
credentials
On Thu, 10 Apr 2014, Rashard.Kelly at sita.aero wrote:
>Hello all
>
>
>When I try to execute and commands from the an ipa-replica I get
>
>[rkelly at replicahostname ~]$ ipa user-find
>ipa: ERROR: did not receive Kerberos credentials
>[rkelly at replicahostname ~]$ kinit
>Password for rkelly at IPA2.DC.SITA.AERO:
>[rkelly at replicahostname ~]$ ipa user-find
>ipa: ERROR: did not receive Kerberos credentials
>[rkelly at replicahostname ~]$ klist
>klist: Credentials cache permissions incorrect while setting cache flags
>(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v)
>
>I thought perhaps the two are out of sync
>[root at replicahostname ~]# ipa-replica-manage re-initialize --from
>liipaxs010p.ipa2.dc.sita.aero
>Invalid password
>
>
>ipa-replica-conncheck says communication is ok.
>
>I looked at the httpd, secure,and krb log and none show any activity when
>I execute the commands above. Im lost any clues as to where I can look
for
>answers?
Let's put IPA commands aside and first find out what's wrong with your
Kerberos infra. Looking at your ticket cache file name
(FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this
machine via SSH and the ticket cache is created by the sshd or sssd.
The message you received out of klist is shown if ccache file is either:
- unaccessible for the user
- is a directory rather than a file
- is a broken symlink
- blocked by some app with explusive locks
- cannot be open for a write
Please provide output of
$ cat /proc/mounts | grep /tmp
$ echo $KRB5CCNAME
$ ls -lZ /tmp/krb5cc_1599100000_qojy7v
$ KRB5_TRACE=/dev/stderr kinit
$ KRB5_TRACE=/dev/stderr klist
You can temporarily overcome this issue by selecting a different ticket
cache by setting KRB5CCNAME environmental variable:
$ export KRB5CCNAME=$HOME/.krb5cc
$ kinit
$ ipa user-find
...
However, it would be good to solve the issue to avoid repeating these
problems
--
/ Alexander Bokovoy
This document is strictly confidential and intended only for use by the
addressee unless otherwise stated. If you are not the intended recipient,
please notify the sender immediately and delete it from your system. See
you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to
register http://www.sitasummit.aero
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
This document is strictly confidential and intended only for use by the
addressee unless otherwise stated. If you are not the intended recipient,
please notify the sender immediately and delete it from your system.
See you at 2014 Air Transport IT Summit, 17-19 June 2014
Click here to register http://www.sitasummit.aero
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140410/90382b06/attachment.htm>
More information about the Freeipa-users
mailing list