[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
bahan w
bahanw042014 at gmail.com
Tue Oct 25 11:00:51 UTC 2016
Re.
There is no time difference between client and server.
I checked the httpd error log and saw no errors.
Same with the dirsrv error logs.
Any other idea ?
By looking at the log, I'm wondering if this is a question of session ?
See there :
###
ipa: DEBUG: args=keyctl pipe 44063864
ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
Secure; HttpOnly
ipa: DEBUG: stderr=
ipa: DEBUG: found session_cookie in persistent storage for principal
'<myuser>@<myrealm>', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584;
Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
Secure; HttpOnly'
ipa: DEBUG: setting session_cookie into context 'ipa_session=
26a7252e4853374fc7439eae5926c584;'
###
At that time, it was not yet expired but there was only a few minuts before
expiration (something like 10 minuts).
What is this persistent storage which is mentioned in the logs ?
Best regards.
Bahan
On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky <mbabinsk at redhat.com>
wrote:
> On 10/25/2016 10:27 AM, bahan w wrote:
>
>> Hello everyone !
>>
>> I have an ipa server and an ipa client both in 3.0.0-47.
>>
>> In order to connect via SSH to the host of the ipa-client, I use root.
>> When I'm connected to the ipa-client via ssh being root, I do a kinit of
>> a user with a keytab :
>> ###
>> kinit -kt /etc/security/keytabs/<myuser>.headless.keytab <myuser>
>> ###
>>
>> And sometimes, once I have the TGT, when I do just an ipa user-show, I
>> got the following error :
>> ###
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>> Error: Unspecified GSS failure. Minor code may provide more information
>> (Ticket expired)
>> ###
>>
>> When I check the ticket, it is not expired :
>> ###
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_root_<myuser>
>> Default principal: <myuser>@<myrealm>
>>
>> Valid starting Expires Service principal
>> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/<myrealm>@<myrealm>
>> ###
>>
>> Do you know from where it can come and how I can solve this error please ?
>>
>> Here is more information with the debug option :
>> ###
>> ipa -d user-show <myuser2>
>> ###
>>
>> Result :
>> ###
>> ipa: DEBUG: importing all plugin modules in
>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
>> ipa: DEBUG: args=klist -V
>> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3
>>
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<myuser>@<m
>> yrealm>
>> ipa: DEBUG: stdout=44063864
>>
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: args=keyctl pipe 44063864
>> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
>> Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
>> Secure; HttpOnly
>> ipa: DEBUG: stderr=
>> ipa: DEBUG: found session_cookie in persistent storage for principal
>> '<myuser>@<myrealm>', cookie:
>> 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=<ipa-host>;
>> Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly'
>> ipa: DEBUG: setting session_cookie into context
>> 'ipa_session=26a7252e4853374fc7439eae5926c584;'
>> ipa: INFO: trying https://<ipa-host>/ipa/session/xml
>> ipa: DEBUG: Created connection context.xmlclient
>> ipa: DEBUG: raw: user_show(u'<myuser2>', rights=False, all=False,
>> raw=False, version=u'2.49', no_members=False)
>> ipa: DEBUG: user_show(u'<myuser2>', rights=False, all=False, raw=False,
>> version=u'2.49', no_members=False)
>> ipa: INFO: Forwarding 'user_show' to server
>> u'https://<ipa-host>/ipa/session/xml'
>> ipa: DEBUG: NSSConnection init <ipa-host>
>> ipa: DEBUG: Connecting: 10.79.28.51:0 <http://10.79.28.51:0>
>>
>> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
>> Data:
>> Version: 3 (0x2)
>> Serial Number: 10 (0xa)
>> Signature Algorithm:
>> Algorithm: PKCS #1 SHA-256 With RSA Encryption
>> Issuer: CN=Certificate Authority,O=<myrealm>
>> Validity:
>> Not Before: Mon Nov 23 13:01:37 2015 UTC
>> Not After: Thu Nov 23 13:01:37 2017 UTC
>> Subject: CN=<ipa-host>,O=<myrealm>
>> Subject Public Key Info:
>> Public Key Algorithm:
>> Algorithm: PKCS #1 RSA Encryption
>> RSA Public Key:
>> Modulus:
>> f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2:
>> 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86:
>> 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c:
>> f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62:
>> c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8:
>> c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22:
>> 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15:
>> fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b:
>> e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc:
>> e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c:
>> 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03:
>> a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62:
>> 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03:
>> ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0:
>> 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59:
>> 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45
>> Exponent:
>> 65537 (0x10001)
>> Signed Extensions: (5 total)
>> Name: Certificate Authority Key Identifier
>> Critical: False
>> Key ID:
>> 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50:
>> f7:7f:85:85
>> Serial Number: None
>> General Names: [0 total]
>>
>> Name: Authority Information Access
>> Critical: False
>> Authority Information Access: [1 total]
>> Info [1]:
>> Method: PKIX Online Certificate Status Protocol
>> Location: URI: http://<ipa-host>:80/ca/ocsp
>>
>> Name: Certificate Key Usage
>> Critical: True
>> Usages:
>> Digital Signature
>> Non-Repudiation
>> Key Encipherment
>> Data Encipherment
>>
>> Name: Extended Key Usage
>> Critical: False
>> Usages:
>> TLS Web Server Authentication Certificate
>> TLS Web Client Authentication Certificate
>>
>> Name: Certificate Subject Key ID
>> Critical: False
>> Data:
>> 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1:
>> ad:84:68:8b
>>
>> Signature:
>> Signature Algorithm:
>> Algorithm: PKCS #1 SHA-256 With RSA Encryption
>> Signature:
>> 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c:
>> a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c:
>> bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea:
>> 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11:
>> f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea:
>> 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1:
>> 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97:
>> 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14:
>> 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba:
>> f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e:
>> df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a:
>> a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b:
>> 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7:
>> 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b:
>> a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c:
>> 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef
>> Fingerprint (MD5):
>> 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53
>> Fingerprint (SHA1):
>> 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90:
>> 75:81:d5:0b
>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>> ipa: DEBUG: cert valid True for "CN=<ipa-host>,O=<myrealm>"
>> ipa: DEBUG: handshake complete, peer = <IP>:443
>> ipa: DEBUG: Protocol: TLS1.2
>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
>> ipa: DEBUG: Caught fault 2100 from server
>> https://<ipa-host>/ipa/session/xml: Insufficient access: SASL(-1):
>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
>> provide more information (Ticket expired)
>> ipa: DEBUG: Destroyed connection context.xmlclient
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>> Error: Unspecified GSS failure. Minor code may provide more information
>> (Ticket expired)
>> ###
>>
>> Any guidance about where it can come from or what to do ?
>>
>> From the ipa-server, in the krb5kdc.log, I found sometimes this kind of
>> emssage :
>> ###
>> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...
>> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm>
>> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...
>> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm>
>> ###
>>
>> Best regards.
>>
>> Bahan
>>
>>
>>
> I would firstly check the time difference between client and IPA server.
> If the time skew is too grea all sorts of errors can pop up regarding
> Kerberos authentication.
>
> I would also check /var/log/http/error_log and
> /var/log/dirsrv/slapd-<REALM>/errors for additional info. I suspect there
> is something wrong with the keytab of HTTP principal on the IPA server.
>
> --
> Martin^3 Babinsky
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161025/3def61a2/attachment.htm>
More information about the Freeipa-users
mailing list