[Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
Sumit Bose
sbose at redhat.com
Thu Apr 10 18:44:02 UTC 2014
On Thu, Apr 10, 2014 at 02:32:06PM -0400, Rashard.Kelly at sita.aero wrote:
> SELinux is disabled, I changed the permissions back to the old ones and I
> have the problem again, although as root I can kinit as myself and can run
> commands. But not as the regular user. Do you have any strace examples to
> share?
>
>
> [root at replicahostname /tmp]# ll -Za
> drwxrwxrwt. root root system_u:object_r:tmp_t:s0 .
> dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
> -rw------- rkelly rkelly ? .bash_history
> drwxrwxrwt root root ? .ICE-unix
> drwxrwxr-x rkelly rkelly ? .ipa
> -r-------- root root ? krb5cc_0
> -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo
> -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0
> -r-------- apache apache ? krb5cc_48
> =
>
> [root at replicahostname /tmp]# klist
> klist: Credentials cache permissions incorrect while setting cache flags
> (ticket cache FILE:/tmp/krb5cc_1599100000_CUkupo)
strace -o /tmp/klist.out -s 512 klist
The needed output will be in /tmp/klist.out.
bye,
Sumit
>
>
> [root at liipaxs007p /tmp]# cat /etc/sysconfig/selinux
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - SELinux is fully disabled.
> SELINUX=disabled
> # SELINUXTYPE= type of policy in use. Possible values are:
> # targeted - Only targeted network daemons are protected.
> # strict - Full SELinux protection.
> SELINUXTYPE=targeted
>
>
> Thank You,
> Rashard Kelly
>
>
>
>
> From: Sumit Bose <sbose at redhat.com>
> To: Rashard.Kelly at sita.aero
> Cc: freeipa-users at redhat.com
> Date: 04/10/2014 12:31 PM
> Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos
> credentials
>
>
>
> On Thu, Apr 10, 2014 at 11:55:05AM -0400, Rashard.Kelly at sita.aero wrote:
> > I can run commands after changing the permissions on the files, but why
> is
> > it generating files that are not world readable?
> >
> > [rkelly at replicahostname ~]$ ll
> > total 84
> > -rw-r--r-- 1 root root 2428 Apr 9 22:34 krb5cc_0
> > -rw-r--r-- 1 xs05144 xs05144 1146 Apr 3 16:10
> krb5cc_1599000020_u5RRhd
> > -rw-r--r-- 1 rkelly rkelly 569 Apr 10 15:14
> krb5cc_1599100000_CUkupo
> > -rw-r--r-- 1 rkelly rkelly 1873 Apr 9 23:40
> krb5cc_1599100000_ZekyY0
> > -rw-r--r-- 1 apache apache 662 Apr 10 06:02 krb5cc_48
>
> Please don't do this, the credential cache files are similar to your
> password, only the user itself should be allowed to read it.
>
> When you use ls with the -Z option there is a '?' where the SELinux
> context should be printed. Maybe there are issues with your SELinux
> setup which prevent access to the ccache files? Can you try SELinux in
> permissive mode? If there are still issues running klist which strace
> might give some more details why the ccache file cannot be read.
>
> HTH
>
> bye,
> Sumit
>
> >
> > [rkelly at replicahostname ~]$ klist
> > Ticket cache: FILE:/tmp/krb5cc_1599100000_CUkupo
> > Default principal: rkelly at DOMAIN
> >
> > Valid starting Expires Service principal
> > 04/10/14 15:14:40 04/11/14 15:14:40 krbtgt/IPA2.DC.SITA.AERO at DOMAIN
> >
> > [rkelly at replicahostname ~]$ ipa user-find kelly
> > --------------
> > 1 user matched
> > --------------
> > User login: rkelly
> > First name: Rashard
> > Last name: KElly
> > Home directory: /home/rkelly
> > Login shell: /bin/sh
> > Email address: rkelly at domain
> > UID: 1599100000
> > GID: 1599100000
> > Account disabled: False
> > Password: True
> > Kerberos keys available: True
> > ----------------------------
> > Number of entries returned 1
> > ----------------------------
> > Thank You,
> > Rashard Kelly
> >
> >
> >
> > From: Rashard.Kelly at sita.aero
> > To: Alexander Bokovoy <abokovoy at redhat.com>
> > Cc: freeipa-users at redhat.com
> > Date: 04/10/2014 08:42 AM
> > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos
>
> > credentials
> > Sent by: freeipa-users-bounces at redhat.com
> >
> >
> >
> > The krb5 files are not readable by everyone. There are multiple krb5
> files
> > in tmp, should they automatically be readable by all? BTW our users do
> not
> > have home directories if that makes a difference.
> >
> > [rkelly at replicahostname ~]$ ls -lZ /tmp |grep krb
> > -rw------- root root ? krb5cc_0
> > -rw------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> > -rw------- rkelly rkelly ? krb5cc_1599100000_oKtZFE
> > -rw------- rkelly rkelly ? krb5cc_1599100000_ZekyY0
> > -rw------- apache apache ? krb5cc_48
> >
> > ipa-server-selinux-3.0.0-37.el6.x86_64
> > ipa-client-3.0.0-37.el6.x86_64
> > ipa-server-3.0.0-37.el6.x86_64
> > ipa-pki-common-theme-9.0.3-7.el6.noarch
> > libipa_hbac-python-1.9.2-129.el6_5.4.x86_64
> > ipa-python-3.0.0-37.el6.x86_64
> > ipa-admintools-3.0.0-37.el6.x86_64
> > ipa-pki-ca-theme-9.0.3-7.el6.noarch
> > libipa_hbac-1.9.2-129.el6_5.4.x86_64
> > python-iniparse-0.3.1-2.1.el6.noarch
> >
> > [rkelly at replicahostname ~]$ cat /proc/mounts | grep /tmp
> > /dev/mapper/system-tmp_vol /tmp ext4 rw,relatime,barrier=1,data=ordered
> 0
> > 0
> > [rkelly at replicahostname ~]$ echo $KRB5CCNAME
> > FILE:/tmp/krb5cc_1599100000_oKtZFE
> >
> > [rkelly at replicahostname ~]$ ls -lZ /tmp/krb5cc_1599100000_oKtZFE
> > -rw------- rkelly rkelly ? /tmp/krb5cc_1599100000_oKtZFE
> >
> > [rkelly at replicahostname ~]$ KRB5_TRACE=/dev/stderr kinit
> > [14559] 1397132474.221287: Getting initial credentials for rkelly at DOMAIN
>
> > [14559] 1397132474.221510: Sending request (191 bytes) to DOMAIN
> > [14559] 1397132474.221677: Sending initial UDP request to dgram
> > 10.228.20.25:88
> > [14559] 1397132474.225248: Received answer from dgram 10.228.20.25:88
> > [14559] 1397132474.225287: Response was from master KDC
> > [14559] 1397132474.225306: Received error from KDC:
> -1765328359/Additional
> > pre-authentication required
> > [14559] 1397132474.225331: Processing preauth types: 136, 19, 2, 133
> > [14559] 1397132474.225343: Selected etype info: etype aes256-cts, salt
> > "IPA2.DC.SITA.AEROrkelly", params ""
> > [14559] 1397132474.225346: Received cookie: MIT
> > Password for rkelly at DOMAIN:
> > [14559] 1397132484.255381: AS key obtained for encrypted timestamp:
> > aes256-cts/DBF7
> > [14559] 1397132484.255432: Encrypted timestamp (for 1397132484.255390):
> > plain 301AA011180F32303134303431303132323132345AA105020303E59E,
> encrypted
> >
> 321A6A1E297880D1E2D1BF069D6D44136D7A2A0D3AAFC3209CB9B4E5BAAE59E928559E47FD0A140F68D377A8398D7CAB4B735D0612247A7C
>
> >
> > [14559] 1397132484.255453: Preauth module encrypted_timestamp (2)
> > (flags=1) returned: 0/Success
> > [14559] 1397132484.255457: Produced preauth for next request: 133, 2
> > [14559] 1397132484.255474: Sending request (286 bytes) to DOMAIN
> (master)
> > [14559] 1397132484.255560: Sending initial UDP request to dgram
> > 10.228.20.25:88
> > [14559] 1397132484.262563: Received answer from dgram 10.228.20.25:88
> > [14559] 1397132484.262593: Processing preauth types: 19
> > [14559] 1397132484.262600: Selected etype info: etype aes256-cts, salt
> > "DOMAINrkelly", params ""
> > [14559] 1397132484.262603: Produced preauth for next request: (empty)
> > [14559] 1397132484.262609: AS key determined by preauth: aes256-cts/DBF7
>
> > [14559] 1397132484.262650: Decrypted AS reply; session key is:
> > aes256-cts/B097
> > [14559] 1397132484.262664: FAST negotiation: available
> > [14559] 1397132484.262681: Initializing
> FILE:/tmp/krb5cc_1599100000_oKtZFE
> > with default princ rkelly at DOMAIN
> >
> > [rkelly at replicahostname ~]$ KRB5_TRACE=/dev/stderr klist
> > klist: Credentials cache permissions incorrect while setting cache flags
>
> > (ticket cache FILE:/tmp/krb5cc_1599100000_oKtZFE)
> >
> > --
> >
> >
> > Thank You,
> > Rashard Kelly
> >
> >
> >
> >
> > From: Alexander Bokovoy <abokovoy at redhat.com>
> > To: Rashard.Kelly at sita.aero
> > Cc: freeipa-users at redhat.com
> > Date: 04/10/2014 03:25 AM
> > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos
>
> > credentials
> >
> >
> >
> > On Thu, 10 Apr 2014, Rashard.Kelly at sita.aero wrote:
> > >Hello all
> > >
> > >
> > >When I try to execute and commands from the an ipa-replica I get
> > >
> > >[rkelly at replicahostname ~]$ ipa user-find
> > >ipa: ERROR: did not receive Kerberos credentials
> > >[rkelly at replicahostname ~]$ kinit
> > >Password for rkelly at IPA2.DC.SITA.AERO:
> > >[rkelly at replicahostname ~]$ ipa user-find
> > >ipa: ERROR: did not receive Kerberos credentials
> > >[rkelly at replicahostname ~]$ klist
> > >klist: Credentials cache permissions incorrect while setting cache
> flags
> > >(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v)
> > >
> > >I thought perhaps the two are out of sync
> > >[root at replicahostname ~]# ipa-replica-manage re-initialize --from
> > >liipaxs010p.ipa2.dc.sita.aero
> > >Invalid password
> > >
> > >
> > >ipa-replica-conncheck says communication is ok.
> > >
> > >I looked at the httpd, secure,and krb log and none show any activity
> when
> > >I execute the commands above. Im lost any clues as to where I can look
> > for
> > >answers?
> > Let's put IPA commands aside and first find out what's wrong with your
> > Kerberos infra. Looking at your ticket cache file name
> > (FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this
> > machine via SSH and the ticket cache is created by the sshd or sssd.
> >
> > The message you received out of klist is shown if ccache file is either:
> > - unaccessible for the user
> > - is a directory rather than a file
> > - is a broken symlink
> > - blocked by some app with explusive locks
> > - cannot be open for a write
> >
> > Please provide output of
> > $ cat /proc/mounts | grep /tmp
> > $ echo $KRB5CCNAME
> > $ ls -lZ /tmp/krb5cc_1599100000_qojy7v
> > $ KRB5_TRACE=/dev/stderr kinit
> > $ KRB5_TRACE=/dev/stderr klist
> >
> > You can temporarily overcome this issue by selecting a different ticket
> > cache by setting KRB5CCNAME environmental variable:
> >
> > $ export KRB5CCNAME=$HOME/.krb5cc
> > $ kinit
> > $ ipa user-find
> > ...
> >
> > However, it would be good to solve the issue to avoid repeating these
> > problems
> >
> >
> >
> > --
> > / Alexander Bokovoy
> >
> >
> > This document is strictly confidential and intended only for use by the
> > addressee unless otherwise stated. If you are not the intended
> recipient,
> > please notify the sender immediately and delete it from your system. See
>
> > you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to
> > register http://www.sitasummit.aero
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > This document is strictly confidential and intended only for use by the
> > addressee unless otherwise stated. If you are not the intended
> recipient,
> > please notify the sender immediately and delete it from your system.
> > See you at 2014 Air Transport IT Summit, 17-19 June 2014
> >
> > Click here to register http://www.sitasummit.aero
> >
> >
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> This document is strictly confidential and intended only for use by the
> addressee unless otherwise stated. If you are not the intended recipient,
> please notify the sender immediately and delete it from your system.
> See you at 2014 Air Transport IT Summit, 17-19 June 2014
>
> Click here to register http://www.sitasummit.aero
>
>
More information about the Freeipa-users
mailing list