Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Help ? Best regards. Bahan On Tue, Oct 25, 2016 at 1:00 PM, bahan w wrote: > Re. > > There is no time difference between client and server. > > I checked the httpd error log and saw no errors. > Same with the dirsrv error logs. > > Any other idea ? > > By looking at the log, I'm wondering if this is a question of session ? > > See there : > ### > ipa: DEBUG: args=keyctl pipe 44063864 > ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; > Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; > Secure; HttpOnly > ipa: DEBUG: stderr= > ipa: DEBUG: found session_cookie in persistent storage for principal > '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; > Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; > Secure; HttpOnly' > ipa: DEBUG: setting session_cookie into context > 'ipa_session=26a7252e4853374fc7439eae5926c584;' > ### > > At that time, it was not yet expired but there was only a few minuts > before expiration (something like 10 minuts). > What is this persistent storage which is mentioned in the logs ? > > Best regards. > > Bahan > > > > On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky > wrote: > >> On 10/25/2016 10:27 AM, bahan w wrote: >> >>> Hello everyone ! >>> >>> I have an ipa server and an ipa client both in 3.0.0-47. >>> >>> In order to connect via SSH to the host of the ipa-client, I use root. >>> When I'm connected to the ipa-client via ssh being root, I do a kinit of >>> a user with a keytab : >>> ### >>> kinit -kt /etc/security/keytabs/.headless.keytab >>> ### >>> >>> And sometimes, once I have the TGT, when I do just an ipa user-show, I >>> got the following error : >>> ### >>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >>> Error: Unspecified GSS failure. Minor code may provide more information >>> (Ticket expired) >>> ### >>> >>> When I check the ticket, it is not expired : >>> ### >>> # klist >>> Ticket cache: FILE:/tmp/krb5cc_root_ >>> Default principal: @ >>> >>> Valid starting ExpiresService principal >>> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ >>> ### >>> >>> Do you know from where it can come and how I can solve this error please >>> ? >>> >>> Here is more information with the debug option : >>> ### >>> ipa -d user-show >>> ### >>> >>> Result : >>> ### >>> ipa: DEBUG: importing all plugin modules in >>> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' >>> ipa: DEBUG: importing plugin module >>> '/usr/lib/py
Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Re. There is no time difference between client and server. I checked the httpd error log and saw no errors. Same with the dirsrv error logs. Any other idea ? By looking at the log, I'm wondering if this is a question of session ? See there : ### ipa: DEBUG: args=keyctl pipe 44063864 ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly ipa: DEBUG: stderr= ipa: DEBUG: found session_cookie in persistent storage for principal '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' ipa: DEBUG: setting session_cookie into context 'ipa_session= 26a7252e4853374fc7439eae5926c584;' ### At that time, it was not yet expired but there was only a few minuts before expiration (something like 10 minuts). What is this persistent storage which is mentioned in the logs ? Best regards. Bahan On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky wrote: > On 10/25/2016 10:27 AM, bahan w wrote: > >> Hello everyone ! >> >> I have an ipa server and an ipa client both in 3.0.0-47. >> >> In order to connect via SSH to the host of the ipa-client, I use root. >> When I'm connected to the ipa-client via ssh being root, I do a kinit of >> a user with a keytab : >> ### >> kinit -kt /etc/security/keytabs/.headless.keytab >> ### >> >> And sometimes, once I have the TGT, when I do just an ipa user-show, I >> got the following error : >> ### >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Ticket expired) >> ### >> >> When I check the ticket, it is not expired : >> ### >> # klist >> Ticket cache: FILE:/tmp/krb5cc_root_ >> Default principal: @ >> >> Valid starting ExpiresService principal >> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ >> ### >> >> Do you know from where it can come and how I can solve this error please ? >> >> Here is more information with the debug option : >> ### >> ipa -d user-show >> ### >> >> Result : >> ### >> ipa: DEBUG: importing all plugin modules in >> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugin
Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
On 10/25/2016 10:27 AM, bahan w wrote: Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt /etc/security/keytabs/.headless.keytab ### And sometimes, once I have the TGT, when I do just an ipa user-show, I got the following error : ### ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) ### When I check the ticket, it is not expired : ### # klist Ticket cache: FILE:/tmp/krb5cc_root_ Default principal: @ Valid starting ExpiresService principal 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ ### Do you know from where it can come and how I can solve this error please ? Here is more information with the debug option : ### ipa -d user-show ### Result : ### ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: DEBUG: arg
[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)
Hello everyone ! I have an ipa server and an ipa client both in 3.0.0-47. In order to connect via SSH to the host of the ipa-client, I use root. When I'm connected to the ipa-client via ssh being root, I do a kinit of a user with a keytab : ### kinit -kt /etc/security/keytabs/.headless.keytab ### And sometimes, once I have the TGT, when I do just an ipa user-show, I got the following error : ### ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired) ### When I check the ticket, it is not expired : ### # klist Ticket cache: FILE:/tmp/krb5cc_root_ Default principal: @ Valid starting ExpiresService principal 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/@ ### Do you know from where it can come and how I can solve this error please ? Here is more information with the debug option : ### ipa -d user-show ### Result : ### ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.6/site-packages/ipalib/plugins'... ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' ipa: DEBUG: args=klist -V ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' ipa: DEBUG: importing plugin module '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' ipa: DEBUG: args=keyctl search @s user ipa_session_cooki
