[Freeipa-users] ipa: ERROR: did not receive Kerberos credentials
Sumit Bose
sbose at redhat.com
Fri Apr 11 15:57:54 UTC 2014
On Fri, Apr 11, 2014 at 11:22:55AM -0400, Rashard.Kelly at sita.aero wrote:
> I changed the permissions to world readable to test, afterward I changed
> it back to be readable only by the owner. The problem then reappeared.
>
> [rkelly at replicahostname ~]$ ls -lZa| grep krb
> -r-------- root root ? krb5cc_0
> -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo
> -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0
> -r-------- apache apache ? krb5cc_48
> [rkelly at replicahostname ~]$ od /tmp/krb5cc_1599100000_CUkupo
> od: /tmp/krb5cc_1599100000_CUkupo: Permission denied
hm, either your filesystem is broken or there is an issue with duplicate
UIDs. Can you check if the filesystem UID matches yours:
stat krb5cc_1599100000_CUkupo
should show the numerial UID for the file and
id
will show yours.
HTH
bye,
Sumit
>
> Thank You,
> Rashard Kelly
> SITA Senior Linux Specialist
>
>
>
>
> From: Sumit Bose <sbose at redhat.com>
> To: Rashard.Kelly at sita.aero
> Cc: Alexander Bokovoy <abokovoy at redhat.com>, freeipa-users at redhat.com
> Date: 04/11/2014 09:54 AM
> Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos
> credentials
>
>
>
> On Fri, Apr 11, 2014 at 09:42:41AM -0400, Rashard.Kelly at sita.aero wrote:
> > [root at replicahostname ~]# sestatus
> > SELinux status: disabled
> > [root at replicahostname ~]# audit2why -b -w -t avc
> > [root at replicahostname ~]#
> >
> >
> > Nothing in the audit log after audit2why came back either.
>
> That's odd. Can you read the file with od?
>
> od /tmp/krb5cc_1599100000_CUkupo
>
> don't send the output just check if it is readable of if od returns an
> error as well?
>
> Are there any odd filesystem permission on your klist binary like s-bit
> set?
>
> ls -alZ $(which klist)
>
> (her you can send the output :-)
>
> bye,
> Sumit
> >
> >
> > Thank You,
> > Rashard Kelly
> >
> >
> >
> > From: Alexander Bokovoy <abokovoy at redhat.com>
> > To: Rashard.Kelly at sita.aero
> > Cc: Sumit Bose <sbose at redhat.com>, freeipa-users at redhat.com
> > Date: 04/11/2014 09:06 AM
> > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos
>
> > credentials
> >
> >
> >
> > On Fri, 11 Apr 2014, Rashard.Kelly at sita.aero wrote:
> > >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > >open("/tmp/krb5cc_1599100000_CUkupo", O_RDONLY) = -1 EACCES (Permission
> > >denied)
> >
> > Are you sure you don't have SELinux really running and enabled?
> >
> > Because the following output makes me really worry:
> > >> [root at replicahostname /tmp]# ll -Za
> > >> drwxrwxrwt. root root system_u:object_r:tmp_t:s0 .
> > >> dr-xr-xr-x. root root system_u:object_r:root_t:s0 ..
> > >> -rw------- rkelly rkelly ? .bash_history
> > >> drwxrwxrwt root root ? .ICE-unix
> > >> drwxrwxr-x rkelly rkelly ? .ipa
> > >> -r-------- root root ? krb5cc_0
> > >> -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> > >> -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo
> > >> -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0
> > These rkelly:rkelly krb5cc_* files have no SELinux label and should be
> > readable to the owner.
> >
> > Can you show:
> >
> > [root] # sestatus
> > [root] # audit2why -b -w -t avc
> >
> >
> > --
> > / Alexander Bokovoy
> >
> >
> > This document is strictly confidential and intended only for use by the
> > addressee unless otherwise stated. If you are not the intended
> recipient,
> > please notify the sender immediately and delete it from your system.
> > See you at 2014 Air Transport IT Summit, 17-19 June 2014
> >
> > Click here to register http://www.sitasummit.aero
> >
> >
>
>
> This document is strictly confidential and intended only for use by the
> addressee unless otherwise stated. If you are not the intended recipient,
> please notify the sender immediately and delete it from your system.
> See you at 2014 Air Transport IT Summit, 17-19 June 2014
>
> Click here to register http://www.sitasummit.aero
>
>
More information about the Freeipa-users
mailing list