The krb5 files are not readable by everyone. There are multiple krb5 files in tmp, should they automatically be readable by all? BTW our users do not have home directories if that makes a difference.
[rkelly@replicahostname ~]$ ls -lZ /tmp |grep krb -rw------- root root ? krb5cc_0 -rw------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd -rw------- rkelly rkelly ? krb5cc_1599100000_oKtZFE -rw------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 -rw------- apache apache ? krb5cc_48 ipa-server-selinux-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 ipa-server-3.0.0-37.el6.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 ipa-python-3.0.0-37.el6.x86_64 ipa-admintools-3.0.0-37.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-1.9.2-129.el6_5.4.x86_64 python-iniparse-0.3.1-2.1.el6.noarch [rkelly@replicahostname ~]$ cat /proc/mounts | grep /tmp /dev/mapper/system-tmp_vol /tmp ext4 rw,relatime,barrier=1,data=ordered 0 0 [rkelly@replicahostname ~]$ echo $KRB5CCNAME FILE:/tmp/krb5cc_1599100000_oKtZFE [rkelly@replicahostname ~]$ ls -lZ /tmp/krb5cc_1599100000_oKtZFE -rw------- rkelly rkelly ? /tmp/krb5cc_1599100000_oKtZFE [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr kinit [14559] 1397132474.221287: Getting initial credentials for rkelly@DOMAIN [14559] 1397132474.221510: Sending request (191 bytes) to DOMAIN [14559] 1397132474.221677: Sending initial UDP request to dgram 10.228.20.25:88 [14559] 1397132474.225248: Received answer from dgram 10.228.20.25:88 [14559] 1397132474.225287: Response was from master KDC [14559] 1397132474.225306: Received error from KDC: -1765328359/Additional pre-authentication required [14559] 1397132474.225331: Processing preauth types: 136, 19, 2, 133 [14559] 1397132474.225343: Selected etype info: etype aes256-cts, salt "IPA2.DC.SITA.AEROrkelly", params "" [14559] 1397132474.225346: Received cookie: MIT Password for rkelly@DOMAIN: [14559] 1397132484.255381: AS key obtained for encrypted timestamp: aes256-cts/DBF7 [14559] 1397132484.255432: Encrypted timestamp (for 1397132484.255390): plain 301AA011180F32303134303431303132323132345AA105020303E59E, encrypted 321A6A1E297880D1E2D1BF069D6D44136D7A2A0D3AAFC3209CB9B4E5BAAE59E928559E47FD0A140F68D377A8398D7CAB4B735D0612247A7C [14559] 1397132484.255453: Preauth module encrypted_timestamp (2) (flags=1) returned: 0/Success [14559] 1397132484.255457: Produced preauth for next request: 133, 2 [14559] 1397132484.255474: Sending request (286 bytes) to DOMAIN (master) [14559] 1397132484.255560: Sending initial UDP request to dgram 10.228.20.25:88 [14559] 1397132484.262563: Received answer from dgram 10.228.20.25:88 [14559] 1397132484.262593: Processing preauth types: 19 [14559] 1397132484.262600: Selected etype info: etype aes256-cts, salt "DOMAINrkelly", params "" [14559] 1397132484.262603: Produced preauth for next request: (empty) [14559] 1397132484.262609: AS key determined by preauth: aes256-cts/DBF7 [14559] 1397132484.262650: Decrypted AS reply; session key is: aes256-cts/B097 [14559] 1397132484.262664: FAST negotiation: available [14559] 1397132484.262681: Initializing FILE:/tmp/krb5cc_1599100000_oKtZFE with default princ rkelly@DOMAIN [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr klist klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_1599100000_oKtZFE) -- Thank You, Rashard Kelly From: Alexander Bokovoy <aboko...@redhat.com> To: rashard.ke...@sita.aero Cc: freeipa-users@redhat.com Date: 04/10/2014 03:25 AM Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos credentials On Thu, 10 Apr 2014, rashard.ke...@sita.aero wrote: >Hello all > > >When I try to execute and commands from the an ipa-replica I get > >[rkelly@replicahostname ~]$ ipa user-find >ipa: ERROR: did not receive Kerberos credentials >[rkelly@replicahostname ~]$ kinit >Password for rke...@ipa2.dc.sita.aero: >[rkelly@replicahostname ~]$ ipa user-find >ipa: ERROR: did not receive Kerberos credentials >[rkelly@replicahostname ~]$ klist >klist: Credentials cache permissions incorrect while setting cache flags >(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v) > >I thought perhaps the two are out of sync >[root@replicahostname ~]# ipa-replica-manage re-initialize --from >liipaxs010p.ipa2.dc.sita.aero >Invalid password > > >ipa-replica-conncheck says communication is ok. > >I looked at the httpd, secure,and krb log and none show any activity when >I execute the commands above. Im lost any clues as to where I can look for >answers? Let's put IPA commands aside and first find out what's wrong with your Kerberos infra. Looking at your ticket cache file name (FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this machine via SSH and the ticket cache is created by the sshd or sssd. The message you received out of klist is shown if ccache file is either: - unaccessible for the user - is a directory rather than a file - is a broken symlink - blocked by some app with explusive locks - cannot be open for a write Please provide output of $ cat /proc/mounts | grep /tmp $ echo $KRB5CCNAME $ ls -lZ /tmp/krb5cc_1599100000_qojy7v $ KRB5_TRACE=/dev/stderr kinit $ KRB5_TRACE=/dev/stderr klist You can temporarily overcome this issue by selecting a different ticket cache by setting KRB5CCNAME environmental variable: $ export KRB5CCNAME=$HOME/.krb5cc $ kinit $ ipa user-find ... However, it would be good to solve the issue to avoid repeating these problems -- / Alexander Bokovoy This document is strictly confidential and intended only for use by the addressee unless otherwise stated. If you are not the intended recipient, please notify the sender immediately and delete it from your system. See you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to register http://www.sitasummit.aero
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
