[Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

Sumit Bose sbose at redhat.com
Fri Apr 11 13:54:26 UTC 2014 

On Fri, Apr 11, 2014 at 09:42:41AM -0400, Rashard.Kelly at sita.aero wrote:
> [root at replicahostname ~]# sestatus
> SELinux status:                 disabled
> [root at replicahostname ~]# audit2why -b -w -t avc
> [root at replicahostname ~]#
> 
> 
> Nothing in the audit log after audit2why came back either.

That's odd. Can you read the file with od?

od /tmp/krb5cc_1599100000_CUkupo

don't send the output just check if it is readable of if od returns an
error as well?

Are there any odd filesystem permission on your klist binary like s-bit
set?

ls -alZ $(which klist)

(her you can send the output :-)

bye,
Sumit
> 
> 
> Thank You,
> Rashard Kelly
> 
> 
> 
> From:   Alexander Bokovoy <abokovoy at redhat.com>
> To:     Rashard.Kelly at sita.aero
> Cc:     Sumit Bose <sbose at redhat.com>, freeipa-users at redhat.com
> Date:   04/11/2014 09:06 AM
> Subject:        Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos 
> credentials
> 
> 
> 
> On Fri, 11 Apr 2014, Rashard.Kelly at sita.aero wrote:
> >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> >open("/tmp/krb5cc_1599100000_CUkupo", O_RDONLY) = -1 EACCES (Permission
> >denied)
> 
> Are you sure you don't have SELinux really running and enabled?
> 
> Because the following output makes me really worry:
> >> [root at replicahostname /tmp]# ll -Za
> >> drwxrwxrwt. root    root    system_u:object_r:tmp_t:s0       .
> >> dr-xr-xr-x. root    root    system_u:object_r:root_t:s0      ..
> >> -rw-------  rkelly  rkelly  ? .bash_history
> >> drwxrwxrwt  root    root    ?                                .ICE-unix
> >> drwxrwxr-x  rkelly  rkelly  ?                                .ipa
> >> -r--------  root    root    ?                                krb5cc_0
> >> -r--------  xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> >> -r--------  rkelly  rkelly  ? krb5cc_1599100000_CUkupo
> >> -r--------  rkelly  rkelly  ? krb5cc_1599100000_ZekyY0
> These rkelly:rkelly krb5cc_* files have no SELinux label and should be
> readable to the owner.
> 
> Can you show:
> 
> [root] # sestatus
> [root] # audit2why -b -w -t avc
> 
> 
> -- 
> / Alexander Bokovoy
> 
> 
> This document is strictly confidential and intended only for use by the
> addressee unless otherwise stated.  If you are not the intended recipient,
> please notify the sender immediately and delete it from your system.
> See you at 2014 Air Transport IT Summit, 17-19 June 2014
> 
> Click here to register  http://www.sitasummit.aero
> 
>

More information about the Freeipa-users mailing list