[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Martin Babinsky
mbabinsk at redhat.com
Tue Oct 25 10:18:38 UTC 2016
On 10/25/2016 10:27 AM, bahan w wrote:
> Hello everyone !
>
> I have an ipa server and an ipa client both in 3.0.0-47.
>
> In order to connect via SSH to the host of the ipa-client, I use root.
> When I'm connected to the ipa-client via ssh being root, I do a kinit of
> a user with a keytab :
> ###
> kinit -kt /etc/security/keytabs/<myuser>.headless.keytab <myuser>
> ###
>
> And sometimes, once I have the TGT, when I do just an ipa user-show, I
> got the following error :
> ###
> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more information
> (Ticket expired)
> ###
>
> When I check the ticket, it is not expired :
> ###
> # klist
> Ticket cache: FILE:/tmp/krb5cc_root_<myuser>
> Default principal: <myuser>@<myrealm>
>
> Valid starting Expires Service principal
> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/<myrealm>@<myrealm>
> ###
>
> Do you know from where it can come and how I can solve this error please ?
>
> Here is more information with the debug option :
> ###
> ipa -d user-show <myuser2>
> ###
>
> Result :
> ###
> ipa: DEBUG: importing all plugin modules in
> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
> ipa: DEBUG: args=klist -V
> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
> ipa: DEBUG: importing plugin module
> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<myuser>@<myrealm>
> ipa: DEBUG: stdout=44063864
>
> ipa: DEBUG: stderr=
> ipa: DEBUG: args=keyctl pipe 44063864
> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
> Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
> Secure; HttpOnly
> ipa: DEBUG: stderr=
> ipa: DEBUG: found session_cookie in persistent storage for principal
> '<myuser>@<myrealm>', cookie:
> 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=<ipa-host>;
> Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly'
> ipa: DEBUG: setting session_cookie into context
> 'ipa_session=26a7252e4853374fc7439eae5926c584;'
> ipa: INFO: trying https://<ipa-host>/ipa/session/xml
> ipa: DEBUG: Created connection context.xmlclient
> ipa: DEBUG: raw: user_show(u'<myuser2>', rights=False, all=False,
> raw=False, version=u'2.49', no_members=False)
> ipa: DEBUG: user_show(u'<myuser2>', rights=False, all=False, raw=False,
> version=u'2.49', no_members=False)
> ipa: INFO: Forwarding 'user_show' to server
> u'https://<ipa-host>/ipa/session/xml'
> ipa: DEBUG: NSSConnection init <ipa-host>
> ipa: DEBUG: Connecting: 10.79.28.51:0 <http://10.79.28.51:0>
> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
> Data:
> Version: 3 (0x2)
> Serial Number: 10 (0xa)
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Issuer: CN=Certificate Authority,O=<myrealm>
> Validity:
> Not Before: Mon Nov 23 13:01:37 2015 UTC
> Not After: Thu Nov 23 13:01:37 2017 UTC
> Subject: CN=<ipa-host>,O=<myrealm>
> Subject Public Key Info:
> Public Key Algorithm:
> Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
> f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2:
> 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86:
> 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c:
> f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62:
> c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8:
> c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22:
> 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15:
> fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b:
> e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc:
> e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c:
> 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03:
> a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62:
> 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03:
> ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0:
> 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59:
> 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45
> Exponent:
> 65537 (0x10001)
> Signed Extensions: (5 total)
> Name: Certificate Authority Key Identifier
> Critical: False
> Key ID:
> 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50:
> f7:7f:85:85
> Serial Number: None
> General Names: [0 total]
>
> Name: Authority Information Access
> Critical: False
> Authority Information Access: [1 total]
> Info [1]:
> Method: PKIX Online Certificate Status Protocol
> Location: URI: http://<ipa-host>:80/ca/ocsp
>
> Name: Certificate Key Usage
> Critical: True
> Usages:
> Digital Signature
> Non-Repudiation
> Key Encipherment
> Data Encipherment
>
> Name: Extended Key Usage
> Critical: False
> Usages:
> TLS Web Server Authentication Certificate
> TLS Web Client Authentication Certificate
>
> Name: Certificate Subject Key ID
> Critical: False
> Data:
> 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1:
> ad:84:68:8b
>
> Signature:
> Signature Algorithm:
> Algorithm: PKCS #1 SHA-256 With RSA Encryption
> Signature:
> 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c:
> a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c:
> bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea:
> 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11:
> f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea:
> 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1:
> 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97:
> 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14:
> 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba:
> f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e:
> df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a:
> a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b:
> 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7:
> 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b:
> a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c:
> 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef
> Fingerprint (MD5):
> 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53
> Fingerprint (SHA1):
> 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90:
> 75:81:d5:0b
> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
> ipa: DEBUG: cert valid True for "CN=<ipa-host>,O=<myrealm>"
> ipa: DEBUG: handshake complete, peer = <IP>:443
> ipa: DEBUG: Protocol: TLS1.2
> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
> ipa: DEBUG: Caught fault 2100 from server
> https://<ipa-host>/ipa/session/xml: Insufficient access: SASL(-1):
> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Ticket expired)
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more information
> (Ticket expired)
> ###
>
> Any guidance about where it can come from or what to do ?
>
> From the ipa-server, in the krb5kdc.log, I found sometimes this kind of
> emssage :
> ###
> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...
> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm>
> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...
> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm>
> ###
>
> Best regards.
>
> Bahan
>
>
I would firstly check the time difference between client and IPA server.
If the time skew is too grea all sorts of errors can pop up regarding
Kerberos authentication.
I would also check /var/log/http/error_log and
/var/log/dirsrv/slapd-<REALM>/errors for additional info. I suspect
there is something wrong with the keytab of HTTP principal on the IPA
server.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list