[Freeipa-users] ipa: ERROR: did not receive Kerberos credentials

Sumit Bose sbose at redhat.com
Fri Apr 11 15:57:54 UTC 2014 

On Fri, Apr 11, 2014 at 11:22:55AM -0400, Rashard.Kelly at sita.aero wrote:
> I changed the permissions to world readable to test, afterward I changed 
> it back to be readable only by the owner. The problem then reappeared.
> 
> [rkelly at replicahostname ~]$ ls -lZa| grep krb
> -r--------  root    root    ?                                krb5cc_0
> -r--------  xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> -r--------  rkelly  rkelly  ? krb5cc_1599100000_CUkupo
> -r--------  rkelly  rkelly  ? krb5cc_1599100000_ZekyY0
> -r--------  apache  apache  ?                                krb5cc_48
> [rkelly at replicahostname ~]$ od /tmp/krb5cc_1599100000_CUkupo
> od: /tmp/krb5cc_1599100000_CUkupo: Permission denied

hm, either your filesystem is broken or there is an issue with duplicate
UIDs. Can you check if the filesystem UID matches yours:

stat krb5cc_1599100000_CUkupo

should show the numerial UID for the file and

id

will show yours.

HTH

bye,
Sumit

> 
> Thank You,
> Rashard Kelly
> SITA  Senior Linux Specialist
> 
> 
> 
> 
> From:   Sumit Bose <sbose at redhat.com>
> To:     Rashard.Kelly at sita.aero
> Cc:     Alexander Bokovoy <abokovoy at redhat.com>, freeipa-users at redhat.com
> Date:   04/11/2014 09:54 AM
> Subject:        Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos 
> credentials
> 
> 
> 
> On Fri, Apr 11, 2014 at 09:42:41AM -0400, Rashard.Kelly at sita.aero wrote:
> > [root at replicahostname ~]# sestatus
> > SELinux status:                 disabled
> > [root at replicahostname ~]# audit2why -b -w -t avc
> > [root at replicahostname ~]#
> > 
> > 
> > Nothing in the audit log after audit2why came back either.
> 
> That's odd. Can you read the file with od?
> 
> od /tmp/krb5cc_1599100000_CUkupo
> 
> don't send the output just check if it is readable of if od returns an
> error as well?
> 
> Are there any odd filesystem permission on your klist binary like s-bit
> set?
> 
> ls -alZ $(which klist)
> 
> (her you can send the output :-)
> 
> bye,
> Sumit
> > 
> > 
> > Thank You,
> > Rashard Kelly
> > 
> > 
> > 
> > From:   Alexander Bokovoy <abokovoy at redhat.com>
> > To:     Rashard.Kelly at sita.aero
> > Cc:     Sumit Bose <sbose at redhat.com>, freeipa-users at redhat.com
> > Date:   04/11/2014 09:06 AM
> > Subject:        Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos 
> 
> > credentials
> > 
> > 
> > 
> > On Fri, 11 Apr 2014, Rashard.Kelly at sita.aero wrote:
> > >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > >open("/tmp/krb5cc_1599100000_CUkupo", O_RDONLY) = -1 EACCES (Permission
> > >denied)
> > 
> > Are you sure you don't have SELinux really running and enabled?
> > 
> > Because the following output makes me really worry:
> > >> [root at replicahostname /tmp]# ll -Za
> > >> drwxrwxrwt. root    root    system_u:object_r:tmp_t:s0       .
> > >> dr-xr-xr-x. root    root    system_u:object_r:root_t:s0      ..
> > >> -rw-------  rkelly  rkelly  ? .bash_history
> > >> drwxrwxrwt  root    root    ? .ICE-unix
> > >> drwxrwxr-x  rkelly  rkelly  ?                                .ipa
> > >> -r--------  root    root    ?                                krb5cc_0
> > >> -r--------  xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> > >> -r--------  rkelly  rkelly  ? krb5cc_1599100000_CUkupo
> > >> -r--------  rkelly  rkelly  ? krb5cc_1599100000_ZekyY0
> > These rkelly:rkelly krb5cc_* files have no SELinux label and should be
> > readable to the owner.
> > 
> > Can you show:
> > 
> > [root] # sestatus
> > [root] # audit2why -b -w -t avc
> > 
> > 
> > -- 
> > / Alexander Bokovoy
> > 
> > 
> > This document is strictly confidential and intended only for use by the
> > addressee unless otherwise stated.  If you are not the intended 
> recipient,
> > please notify the sender immediately and delete it from your system.
> > See you at 2014 Air Transport IT Summit, 17-19 June 2014
> > 
> > Click here to register  http://www.sitasummit.aero
> > 
> > 
> 
> 
> This document is strictly confidential and intended only for use by the
> addressee unless otherwise stated.  If you are not the intended recipient,
> please notify the sender immediately and delete it from your system.
> See you at 2014 Air Transport IT Summit, 17-19 June 2014
> 
> Click here to register  http://www.sitasummit.aero
> 
>

More information about the Freeipa-users mailing list