SELinux is disabled, I changed the permissions back to the old ones and I have the problem again, although as root I can kinit as myself and can run commands. But not as the regular user. Do you have any strace examples to share? [root@replicahostname /tmp]# ll -Za drwxrwxrwt. root root system_u:object_r:tmp_t:s0 . dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. -rw------- rkelly rkelly ? .bash_history drwxrwxrwt root root ? .ICE-unix drwxrwxr-x rkelly rkelly ? .ipa -r-------- root root ? krb5cc_0 -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 -r-------- apache apache ? krb5cc_48 = [root@replicahostname /tmp]# klist klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_1599100000_CUkupo) [root@liipaxs007p /tmp]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted Thank You, Rashard Kelly From: Sumit Bose <sbose@redhat.com> To: Rashard.Kelly@sita.aero Cc: freeipa-users@redhat.com Date: 04/10/2014 12:31 PM Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials <hr noshade> <tt>On Thu, Apr 10, 2014 at 11:55:05AM -0400, Rashard.Kelly@sita.aero wrote: > I can run commands after changing the permissions on the files, but why is > it generating files that are not world readable? > > [rkelly@replicahostname ~]$ ll > total 84 > -rw-r--r-- 1 root root 2428 Apr 9 22:34 krb5cc_0 > -rw-r--r-- 1 xs05144 xs05144 1146 Apr 3 16:10 krb5cc_1599000020_u5RRhd > -rw-r--r-- 1 rkelly rkelly 569 Apr 10 15:14 krb5cc_1599100000_CUkupo > -rw-r--r-- 1 rkelly rkelly 1873 Apr 9 23:40 krb5cc_1599100000_ZekyY0 > -rw-r--r-- 1 apache apache 662 Apr 10 06:02 krb5cc_48 Please don't do this, the credential cache files are similar to your password, only the user itself should be allowed to read it. When you use ls with the -Z option there is a '?' where the SELinux context should be printed. Maybe there are issues with your SELinux setup which prevent access to the ccache files? Can you try SELinux in permissive mode? If there are still issues running klist which strace might give some more details why the ccache file cannot be read. HTH bye, Sumit > > [rkelly@replicahostname ~]$ klist > Ticket cache: FILE:/tmp/krb5cc_1599100000_CUkupo > Default principal: rkelly@DOMAIN > > Valid starting Expires Service principal > 04/10/14 15:14:40 04/11/14 15:14:40 krbtgt/IPA2.DC.SITA.AERO@DOMAIN > > [rkelly@replicahostname ~]$ ipa user-find kelly > -------------- > 1 user matched > -------------- > User login: rkelly > First name: Rashard > Last name: KElly > Home directory: /home/rkelly > Login shell: /bin/sh > Email address: rkelly@domain > UID: 1599100000 > GID: 1599100000 > Account disabled: False > Password: True > Kerberos keys available: True > ---------------------------- > Number of entries returned 1 > ---------------------------- > Thank You, > Rashard Kelly > > > > From: Rashard.Kelly@sita.aero > To: Alexander Bokovoy <abokovoy@redhat.com> > Cc: freeipa-users@redhat.com > Date: 04/10/2014 08:42 AM > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > Sent by: freeipa-users-bounces@redhat.com > > > > The krb5 files are not readable by everyone. There are multiple krb5 files > in tmp, should they automatically be readable by all? BTW our users do not > have home directories if that makes a difference. > > [rkelly@replicahostname ~]$ ls -lZ /tmp |grep krb > -rw------- root root ? krb5cc_0 > -rw------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd > -rw------- rkelly rkelly ? krb5cc_1599100000_oKtZFE > -rw------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 > -rw------- apache apache ? krb5cc_48 > > ipa-server-selinux-3.0.0-37.el6.x86_64 > ipa-client-3.0.0-37.el6.x86_64 > ipa-server-3.0.0-37.el6.x86_64 > ipa-pki-common-theme-9.0.3-7.el6.noarch > libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 > ipa-python-3.0.0-37.el6.x86_64 > ipa-admintools-3.0.0-37.el6.x86_64 > ipa-pki-ca-theme-9.0.3-7.el6.noarch > libipa_hbac-1.9.2-129.el6_5.4.x86_64 > python-iniparse-0.3.1-2.1.el6.noarch > > [rkelly@replicahostname ~]$ cat /proc/mounts | grep /tmp > /dev/mapper/system-tmp_vol /tmp ext4 rw,relatime,barrier=1,data=ordered 0 > 0 > [rkelly@replicahostname ~]$ echo $KRB5CCNAME > FILE:/tmp/krb5cc_1599100000_oKtZFE > > [rkelly@replicahostname ~]$ ls -lZ /tmp/krb5cc_1599100000_oKtZFE > -rw------- rkelly rkelly ? /tmp/krb5cc_1599100000_oKtZFE > > [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr kinit > [14559] 1397132474.221287: Getting initial credentials for rkelly@DOMAIN > [14559] 1397132474.221510: Sending request (191 bytes) to DOMAIN > [14559] 1397132474.221677: Sending initial UDP request to dgram > 10.228.20.25:88 > [14559] 1397132474.225248: Received answer from dgram 10.228.20.25:88 > [14559] 1397132474.225287: Response was from master KDC > [14559] 1397132474.225306: Received error from KDC: -1765328359/Additional > pre-authentication required > [14559] 1397132474.225331: Processing preauth types: 136, 19, 2, 133 > [14559] 1397132474.225343: Selected etype info: etype aes256-cts, salt > "IPA2.DC.SITA.AEROrkelly", params "" > [14559] 1397132474.225346: Received cookie: MIT > Password for rkelly@DOMAIN: > [14559] 1397132484.255381: AS key obtained for encrypted timestamp: > aes256-cts/DBF7 > [14559] 1397132484.255432: Encrypted timestamp (for 1397132484.255390): > plain 301AA011180F32303134303431303132323132345AA105020303E59E, encrypted > 321A6A1E297880D1E2D1BF069D6D44136D7A2A0D3AAFC3209CB9B4E5BAAE59E928559E47FD0A140F68D377A8398D7CAB4B735D0612247A7C > > [14559] 1397132484.255453: Preauth module encrypted_timestamp (2) > (flags=1) returned: 0/Success > [14559] 1397132484.255457: Produced preauth for next request: 133, 2 > [14559] 1397132484.255474: Sending request (286 bytes) to DOMAIN (master) > [14559] 1397132484.255560: Sending initial UDP request to dgram > 10.228.20.25:88 > [14559] 1397132484.262563: Received answer from dgram 10.228.20.25:88 > [14559] 1397132484.262593: Processing preauth types: 19 > [14559] 1397132484.262600: Selected etype info: etype aes256-cts, salt > "DOMAINrkelly", params "" > [14559] 1397132484.262603: Produced preauth for next request: (empty) > [14559] 1397132484.262609: AS key determined by preauth: aes256-cts/DBF7 > [14559] 1397132484.262650: Decrypted AS reply; session key is: > aes256-cts/B097 > [14559] 1397132484.262664: FAST negotiation: available > [14559] 1397132484.262681: Initializing FILE:/tmp/krb5cc_1599100000_oKtZFE > with default princ rkelly@DOMAIN > > [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr klist > klist: Credentials cache permissions incorrect while setting cache flags > (ticket cache FILE:/tmp/krb5cc_1599100000_oKtZFE) > > -- > > > Thank You, > Rashard Kelly > > > > > From: Alexander Bokovoy <abokovoy@redhat.com> > To: Rashard.Kelly@sita.aero > Cc: freeipa-users@redhat.com > Date: 04/10/2014 03:25 AM > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > > > > On Thu, 10 Apr 2014, Rashard.Kelly@sita.aero wrote: > >Hello all > > > > > >When I try to execute and commands from the an ipa-replica I get > > > >[rkelly@replicahostname ~]$ ipa user-find > >ipa: ERROR: did not receive Kerberos credentials > >[rkelly@replicahostname ~]$ kinit > >Password for rkelly@IPA2.DC.SITA.AERO: > >[rkelly@replicahostname ~]$ ipa user-find > >ipa: ERROR: did not receive Kerberos credentials > >[rkelly@replicahostname ~]$ klist > >klist: Credentials cache permissions incorrect while setting cache flags > >(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v) > > > >I thought perhaps the two are out of sync > >[root@replicahostname ~]# ipa-replica-manage re-initialize --from > >liipaxs010p.ipa2.dc.sita.aero > >Invalid password > > > > > >ipa-replica-conncheck says communication is ok. > > > >I looked at the httpd, secure,and krb log and none show any activity when > >I execute the commands above. Im lost any clues as to where I can look > for > >answers? > Let's put IPA commands aside and first find out what's wrong with your > Kerberos infra. Looking at your ticket cache file name > (FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this > machine via SSH and the ticket cache is created by the sshd or sssd. > > The message you received out of klist is shown if ccache file is either: > - unaccessible for the user > - is a directory rather than a file > - is a broken symlink > - blocked by some app with explusive locks > - cannot be open for a write > > Please provide output of > $ cat /proc/mounts | grep /tmp > $ echo $KRB5CCNAME > $ ls -lZ /tmp/krb5cc_1599100000_qojy7v > $ KRB5_TRACE=/dev/stderr kinit > $ KRB5_TRACE=/dev/stderr klist > > You can temporarily overcome this issue by selecting a different ticket > cache by setting KRB5CCNAME environmental variable: > > $ export KRB5CCNAME=$HOME/.krb5cc > $ kinit > $ ipa user-find > ... > > However, it would be good to solve the issue to avoid repeating these > problems > > > > -- > / Alexander Bokovoy > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. See > you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to > register </tt><a href=http://www.sitasummit.aero/><tt>http://www.sitasummit.aero</tt></a><tt> > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a><tt> > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > Click here to register </tt><a href=http://www.sitasummit.aero/><tt>http://www.sitasummit.aero</tt></a><tt> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a><tt> </tt> This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero