[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
bahan w
bahanw042014 at gmail.com
Thu Oct 27 16:12:51 UTC 2016
Help ?
Best regards.
Bahan
On Tue, Oct 25, 2016 at 1:00 PM, bahan w <bahanw042014 at gmail.com> wrote:
> Re.
>
> There is no time difference between client and server.
>
> I checked the httpd error log and saw no errors.
> Same with the dirsrv error logs.
>
> Any other idea ?
>
> By looking at the log, I'm wondering if this is a question of session ?
>
> See there :
> ###
> ipa: DEBUG: args=keyctl pipe 44063864
> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
> Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
> Secure; HttpOnly
> ipa: DEBUG: stderr=
> ipa: DEBUG: found session_cookie in persistent storage for principal
> '<myuser>@<myrealm>', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584;
> Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
> Secure; HttpOnly'
> ipa: DEBUG: setting session_cookie into context
> 'ipa_session=26a7252e4853374fc7439eae5926c584;'
> ###
>
> At that time, it was not yet expired but there was only a few minuts
> before expiration (something like 10 minuts).
> What is this persistent storage which is mentioned in the logs ?
>
> Best regards.
>
> Bahan
>
>
>
> On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky <mbabinsk at redhat.com>
> wrote:
>
>> On 10/25/2016 10:27 AM, bahan w wrote:
>>
>>> Hello everyone !
>>>
>>> I have an ipa server and an ipa client both in 3.0.0-47.
>>>
>>> In order to connect via SSH to the host of the ipa-client, I use root.
>>> When I'm connected to the ipa-client via ssh being root, I do a kinit of
>>> a user with a keytab :
>>> ###
>>> kinit -kt /etc/security/keytabs/<myuser>.headless.keytab <myuser>
>>> ###
>>>
>>> And sometimes, once I have the TGT, when I do just an ipa user-show, I
>>> got the following error :
>>> ###
>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>> Error: Unspecified GSS failure. Minor code may provide more information
>>> (Ticket expired)
>>> ###
>>>
>>> When I check the ticket, it is not expired :
>>> ###
>>> # klist
>>> Ticket cache: FILE:/tmp/krb5cc_root_<myuser>
>>> Default principal: <myuser>@<myrealm>
>>>
>>> Valid starting Expires Service principal
>>> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/<myrealm>@<myrealm>
>>> ###
>>>
>>> Do you know from where it can come and how I can solve this error please
>>> ?
>>>
>>> Here is more information with the debug option :
>>> ###
>>> ipa -d user-show <myuser2>
>>> ###
>>>
>>> Result :
>>> ###
>>> ipa: DEBUG: importing all plugin modules in
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
>>> ipa: DEBUG: args=klist -V
>>> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
>>> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<myuser>@<m
>>> yrealm>
>>> ipa: DEBUG: stdout=44063864
>>>
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: args=keyctl pipe 44063864
>>> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
>>> Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
>>> Secure; HttpOnly
>>> ipa: DEBUG: stderr=
>>> ipa: DEBUG: found session_cookie in persistent storage for principal
>>> '<myuser>@<myrealm>', cookie:
>>> 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=<ipa-host>;
>>> Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly'
>>> ipa: DEBUG: setting session_cookie into context
>>> 'ipa_session=26a7252e4853374fc7439eae5926c584;'
>>> ipa: INFO: trying https://<ipa-host>/ipa/session/xml
>>> ipa: DEBUG: Created connection context.xmlclient
>>> ipa: DEBUG: raw: user_show(u'<myuser2>', rights=False, all=False,
>>> raw=False, version=u'2.49', no_members=False)
>>> ipa: DEBUG: user_show(u'<myuser2>', rights=False, all=False, raw=False,
>>> version=u'2.49', no_members=False)
>>> ipa: INFO: Forwarding 'user_show' to server
>>> u'https://<ipa-host>/ipa/session/xml'
>>> ipa: DEBUG: NSSConnection init <ipa-host>
>>> ipa: DEBUG: Connecting: 10.79.28.51:0 <http://10.79.28.51:0>
>>>
>>> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False
>>> Data:
>>> Version: 3 (0x2)
>>> Serial Number: 10 (0xa)
>>> Signature Algorithm:
>>> Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>> Issuer: CN=Certificate Authority,O=<myrealm>
>>> Validity:
>>> Not Before: Mon Nov 23 13:01:37 2015 UTC
>>> Not After: Thu Nov 23 13:01:37 2017 UTC
>>> Subject: CN=<ipa-host>,O=<myrealm>
>>> Subject Public Key Info:
>>> Public Key Algorithm:
>>> Algorithm: PKCS #1 RSA Encryption
>>> RSA Public Key:
>>> Modulus:
>>> f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2:
>>> 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86:
>>> 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c:
>>> f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62:
>>> c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8:
>>> c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22:
>>> 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15:
>>> fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b:
>>> e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc:
>>> e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c:
>>> 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03:
>>> a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62:
>>> 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03:
>>> ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0:
>>> 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59:
>>> 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45
>>> Exponent:
>>> 65537 (0x10001)
>>> Signed Extensions: (5 total)
>>> Name: Certificate Authority Key Identifier
>>> Critical: False
>>> Key ID:
>>> 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50:
>>> f7:7f:85:85
>>> Serial Number: None
>>> General Names: [0 total]
>>>
>>> Name: Authority Information Access
>>> Critical: False
>>> Authority Information Access: [1 total]
>>> Info [1]:
>>> Method: PKIX Online Certificate Status Protocol
>>> Location: URI: http://<ipa-host>:80/ca/ocsp
>>>
>>> Name: Certificate Key Usage
>>> Critical: True
>>> Usages:
>>> Digital Signature
>>> Non-Repudiation
>>> Key Encipherment
>>> Data Encipherment
>>>
>>> Name: Extended Key Usage
>>> Critical: False
>>> Usages:
>>> TLS Web Server Authentication Certificate
>>> TLS Web Client Authentication Certificate
>>>
>>> Name: Certificate Subject Key ID
>>> Critical: False
>>> Data:
>>> 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1:
>>> ad:84:68:8b
>>>
>>> Signature:
>>> Signature Algorithm:
>>> Algorithm: PKCS #1 SHA-256 With RSA Encryption
>>> Signature:
>>> 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c:
>>> a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c:
>>> bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea:
>>> 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11:
>>> f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea:
>>> 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1:
>>> 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97:
>>> 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14:
>>> 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba:
>>> f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e:
>>> df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a:
>>> a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b:
>>> 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7:
>>> 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b:
>>> a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c:
>>> 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef
>>> Fingerprint (MD5):
>>> 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53
>>> Fingerprint (SHA1):
>>> 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90:
>>> 75:81:d5:0b
>>> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server
>>> ipa: DEBUG: cert valid True for "CN=<ipa-host>,O=<myrealm>"
>>> ipa: DEBUG: handshake complete, peer = <IP>:443
>>> ipa: DEBUG: Protocol: TLS1.2
>>> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA
>>> ipa: DEBUG: Caught fault 2100 from server
>>> https://<ipa-host>/ipa/session/xml: Insufficient access: SASL(-1):
>>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may
>>> provide more information (Ticket expired)
>>> ipa: DEBUG: Destroyed connection context.xmlclient
>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>> Error: Unspecified GSS failure. Minor code may provide more information
>>> (Ticket expired)
>>> ###
>>>
>>> Any guidance about where it can come from or what to do ?
>>>
>>> From the ipa-server, in the krb5kdc.log, I found sometimes this kind of
>>> emssage :
>>> ###
>>> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...
>>> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm>
>>> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ...
>>> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm>
>>> ###
>>>
>>> Best regards.
>>>
>>> Bahan
>>>
>>>
>>>
>> I would firstly check the time difference between client and IPA server.
>> If the time skew is too grea all sorts of errors can pop up regarding
>> Kerberos authentication.
>>
>> I would also check /var/log/http/error_log and
>> /var/log/dirsrv/slapd-<REALM>/errors for additional info. I suspect
>> there is something wrong with the keytab of HTTP principal on the IPA
>> server.
>>
>> --
>> Martin^3 Babinsky
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161027/45ae35fd/attachment.htm>
More information about the Freeipa-users
mailing list