On Thu, Apr 10, 2014 at 02:32:06PM -0400, [email protected] wrote: > SELinux is disabled, I changed the permissions back to the old ones and I > have the problem again, although as root I can kinit as myself and can run > commands. But not as the regular user. Do you have any strace examples to > share? > > > [root@replicahostname /tmp]# ll -Za > drwxrwxrwt. root root system_u:object_r:tmp_t:s0 . > dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. > -rw------- rkelly rkelly ? .bash_history > drwxrwxrwt root root ? .ICE-unix > drwxrwxr-x rkelly rkelly ? .ipa > -r-------- root root ? krb5cc_0 > -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd > -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo > -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 > -r-------- apache apache ? krb5cc_48 > = > > [root@replicahostname /tmp]# klist > klist: Credentials cache permissions incorrect while setting cache flags > (ticket cache FILE:/tmp/krb5cc_1599100000_CUkupo)
strace -o /tmp/klist.out -s 512 klist The needed output will be in /tmp/klist.out. bye, Sumit > > > [root@liipaxs007p /tmp]# cat /etc/sysconfig/selinux > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - SELinux is fully disabled. > SELINUX=disabled > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted > > > Thank You, > Rashard Kelly > > > > > From: Sumit Bose <[email protected]> > To: [email protected] > Cc: [email protected] > Date: 04/10/2014 12:31 PM > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > > > > On Thu, Apr 10, 2014 at 11:55:05AM -0400, [email protected] wrote: > > I can run commands after changing the permissions on the files, but why > is > > it generating files that are not world readable? > > > > [rkelly@replicahostname ~]$ ll > > total 84 > > -rw-r--r-- 1 root root 2428 Apr 9 22:34 krb5cc_0 > > -rw-r--r-- 1 xs05144 xs05144 1146 Apr 3 16:10 > krb5cc_1599000020_u5RRhd > > -rw-r--r-- 1 rkelly rkelly 569 Apr 10 15:14 > krb5cc_1599100000_CUkupo > > -rw-r--r-- 1 rkelly rkelly 1873 Apr 9 23:40 > krb5cc_1599100000_ZekyY0 > > -rw-r--r-- 1 apache apache 662 Apr 10 06:02 krb5cc_48 > > Please don't do this, the credential cache files are similar to your > password, only the user itself should be allowed to read it. > > When you use ls with the -Z option there is a '?' where the SELinux > context should be printed. Maybe there are issues with your SELinux > setup which prevent access to the ccache files? Can you try SELinux in > permissive mode? If there are still issues running klist which strace > might give some more details why the ccache file cannot be read. > > HTH > > bye, > Sumit > > > > > [rkelly@replicahostname ~]$ klist > > Ticket cache: FILE:/tmp/krb5cc_1599100000_CUkupo > > Default principal: rkelly@DOMAIN > > > > Valid starting Expires Service principal > > 04/10/14 15:14:40 04/11/14 15:14:40 krbtgt/IPA2.DC.SITA.AERO@DOMAIN > > > > [rkelly@replicahostname ~]$ ipa user-find kelly > > -------------- > > 1 user matched > > -------------- > > User login: rkelly > > First name: Rashard > > Last name: KElly > > Home directory: /home/rkelly > > Login shell: /bin/sh > > Email address: rkelly@domain > > UID: 1599100000 > > GID: 1599100000 > > Account disabled: False > > Password: True > > Kerberos keys available: True > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > Thank You, > > Rashard Kelly > > > > > > > > From: [email protected] > > To: Alexander Bokovoy <[email protected]> > > Cc: [email protected] > > Date: 04/10/2014 08:42 AM > > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > > > credentials > > Sent by: [email protected] > > > > > > > > The krb5 files are not readable by everyone. There are multiple krb5 > files > > in tmp, should they automatically be readable by all? BTW our users do > not > > have home directories if that makes a difference. > > > > [rkelly@replicahostname ~]$ ls -lZ /tmp |grep krb > > -rw------- root root ? krb5cc_0 > > -rw------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd > > -rw------- rkelly rkelly ? krb5cc_1599100000_oKtZFE > > -rw------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 > > -rw------- apache apache ? krb5cc_48 > > > > ipa-server-selinux-3.0.0-37.el6.x86_64 > > ipa-client-3.0.0-37.el6.x86_64 > > ipa-server-3.0.0-37.el6.x86_64 > > ipa-pki-common-theme-9.0.3-7.el6.noarch > > libipa_hbac-python-1.9.2-129.el6_5.4.x86_64 > > ipa-python-3.0.0-37.el6.x86_64 > > ipa-admintools-3.0.0-37.el6.x86_64 > > ipa-pki-ca-theme-9.0.3-7.el6.noarch > > libipa_hbac-1.9.2-129.el6_5.4.x86_64 > > python-iniparse-0.3.1-2.1.el6.noarch > > > > [rkelly@replicahostname ~]$ cat /proc/mounts | grep /tmp > > /dev/mapper/system-tmp_vol /tmp ext4 rw,relatime,barrier=1,data=ordered > 0 > > 0 > > [rkelly@replicahostname ~]$ echo $KRB5CCNAME > > FILE:/tmp/krb5cc_1599100000_oKtZFE > > > > [rkelly@replicahostname ~]$ ls -lZ /tmp/krb5cc_1599100000_oKtZFE > > -rw------- rkelly rkelly ? /tmp/krb5cc_1599100000_oKtZFE > > > > [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr kinit > > [14559] 1397132474.221287: Getting initial credentials for rkelly@DOMAIN > > > [14559] 1397132474.221510: Sending request (191 bytes) to DOMAIN > > [14559] 1397132474.221677: Sending initial UDP request to dgram > > 10.228.20.25:88 > > [14559] 1397132474.225248: Received answer from dgram 10.228.20.25:88 > > [14559] 1397132474.225287: Response was from master KDC > > [14559] 1397132474.225306: Received error from KDC: > -1765328359/Additional > > pre-authentication required > > [14559] 1397132474.225331: Processing preauth types: 136, 19, 2, 133 > > [14559] 1397132474.225343: Selected etype info: etype aes256-cts, salt > > "IPA2.DC.SITA.AEROrkelly", params "" > > [14559] 1397132474.225346: Received cookie: MIT > > Password for rkelly@DOMAIN: > > [14559] 1397132484.255381: AS key obtained for encrypted timestamp: > > aes256-cts/DBF7 > > [14559] 1397132484.255432: Encrypted timestamp (for 1397132484.255390): > > plain 301AA011180F32303134303431303132323132345AA105020303E59E, > encrypted > > > 321A6A1E297880D1E2D1BF069D6D44136D7A2A0D3AAFC3209CB9B4E5BAAE59E928559E47FD0A140F68D377A8398D7CAB4B735D0612247A7C > > > > > > [14559] 1397132484.255453: Preauth module encrypted_timestamp (2) > > (flags=1) returned: 0/Success > > [14559] 1397132484.255457: Produced preauth for next request: 133, 2 > > [14559] 1397132484.255474: Sending request (286 bytes) to DOMAIN > (master) > > [14559] 1397132484.255560: Sending initial UDP request to dgram > > 10.228.20.25:88 > > [14559] 1397132484.262563: Received answer from dgram 10.228.20.25:88 > > [14559] 1397132484.262593: Processing preauth types: 19 > > [14559] 1397132484.262600: Selected etype info: etype aes256-cts, salt > > "DOMAINrkelly", params "" > > [14559] 1397132484.262603: Produced preauth for next request: (empty) > > [14559] 1397132484.262609: AS key determined by preauth: aes256-cts/DBF7 > > > [14559] 1397132484.262650: Decrypted AS reply; session key is: > > aes256-cts/B097 > > [14559] 1397132484.262664: FAST negotiation: available > > [14559] 1397132484.262681: Initializing > FILE:/tmp/krb5cc_1599100000_oKtZFE > > with default princ rkelly@DOMAIN > > > > [rkelly@replicahostname ~]$ KRB5_TRACE=/dev/stderr klist > > klist: Credentials cache permissions incorrect while setting cache flags > > > (ticket cache FILE:/tmp/krb5cc_1599100000_oKtZFE) > > > > -- > > > > > > Thank You, > > Rashard Kelly > > > > > > > > > > From: Alexander Bokovoy <[email protected]> > > To: [email protected] > > Cc: [email protected] > > Date: 04/10/2014 03:25 AM > > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > > > credentials > > > > > > > > On Thu, 10 Apr 2014, [email protected] wrote: > > >Hello all > > > > > > > > >When I try to execute and commands from the an ipa-replica I get > > > > > >[rkelly@replicahostname ~]$ ipa user-find > > >ipa: ERROR: did not receive Kerberos credentials > > >[rkelly@replicahostname ~]$ kinit > > >Password for [email protected]: > > >[rkelly@replicahostname ~]$ ipa user-find > > >ipa: ERROR: did not receive Kerberos credentials > > >[rkelly@replicahostname ~]$ klist > > >klist: Credentials cache permissions incorrect while setting cache > flags > > >(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v) > > > > > >I thought perhaps the two are out of sync > > >[root@replicahostname ~]# ipa-replica-manage re-initialize --from > > >liipaxs010p.ipa2.dc.sita.aero > > >Invalid password > > > > > > > > >ipa-replica-conncheck says communication is ok. > > > > > >I looked at the httpd, secure,and krb log and none show any activity > when > > >I execute the commands above. Im lost any clues as to where I can look > > for > > >answers? > > Let's put IPA commands aside and first find out what's wrong with your > > Kerberos infra. Looking at your ticket cache file name > > (FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this > > machine via SSH and the ticket cache is created by the sshd or sssd. > > > > The message you received out of klist is shown if ccache file is either: > > - unaccessible for the user > > - is a directory rather than a file > > - is a broken symlink > > - blocked by some app with explusive locks > > - cannot be open for a write > > > > Please provide output of > > $ cat /proc/mounts | grep /tmp > > $ echo $KRB5CCNAME > > $ ls -lZ /tmp/krb5cc_1599100000_qojy7v > > $ KRB5_TRACE=/dev/stderr kinit > > $ KRB5_TRACE=/dev/stderr klist > > > > You can temporarily overcome this issue by selecting a different ticket > > cache by setting KRB5CCNAME environmental variable: > > > > $ export KRB5CCNAME=$HOME/.krb5cc > > $ kinit > > $ ipa user-find > > ... > > > > However, it would be good to solve the issue to avoid repeating these > > problems > > > > > > > > -- > > / Alexander Bokovoy > > > > > > This document is strictly confidential and intended only for use by the > > addressee unless otherwise stated. If you are not the intended > recipient, > > please notify the sender immediately and delete it from your system. See > > > you at 2014 Air Transport IT Summit, 17-19 June 2014 Click here to > > register http://www.sitasummit.aero > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > This document is strictly confidential and intended only for use by the > > addressee unless otherwise stated. If you are not the intended > recipient, > > please notify the sender immediately and delete it from your system. > > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > > > Click here to register http://www.sitasummit.aero > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > Click here to register http://www.sitasummit.aero > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
