Hi guys! Good news. On 15 Feb 2021, at 20:11, Rob Crittenden <[email protected]<mailto:[email protected]>> wrote:
Vinícius Ferrão via FreeIPA-users wrote: Hi Robbie. On 15 Feb 2021, at 18:45, Robbie Harwood <[email protected]<mailto:[email protected]>> wrote: Vinícius Ferrão writes: [10/Feb/2021:23:05:57.501853962 -0300] conn=92 op=1 RESULT err=49 tag=97 nentries=0 etime=0.001927716 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Cannot create replay cache file /var/tmp/ldap_389: Operation not permitted) Well, this looks suspicious. Any idea why it can't create that? SELinux maybe? I was suspecting of SELinux too, so I’ve issued setenforce 0 to check of it will work but no success either. What is the mode of /var/tmp? :) You figured out. For reason that I don’t know yet - you’ll try to discover why this happened - /var/tmp was with UID and GID permissions for a random user: [root@neumann2 ~]# ls -l /var | grep tmp drwxrwxrwt. 7 depaula depaula 4096 Feb 15 21:21 tmp Since sticky bit is enabled we got some bizarre things like this: [root@neumann2 ~]# ls -l /var/tmp/ total 12 -rw-------. 1 root root 6 Feb 6 11:21 host_0 -rw-------. 1 root root 6 Feb 9 19:42 kadmin_0 -rw-------. 1 depaula depaula 2738 Feb 2 08:36 ldap_389 So yeah. February 2nd matches with the start of the issue. I’ve immediately stopped IPA, removed the files, fixed the permissions, reverted back my /etc/named.conf hack and IPA started without any apparent issue. I was able to properly issue commands after kinit’ing as admin. Guys, thank you so much. It’s really good to have help from smart guys. Thanks!!! Best regards, Vinicius PS: Just to confirm: [root@neumann2 ~]# ipa user-find | head ---------------- 74 users matched ---------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: [email protected]<mailto:[email protected]> UID: 917400000 GID: 917400000 rob
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
