On Fri, Apr 11, 2014 at 11:22:55AM -0400, [email protected] wrote: > I changed the permissions to world readable to test, afterward I changed > it back to be readable only by the owner. The problem then reappeared. > > [rkelly@replicahostname ~]$ ls -lZa| grep krb > -r-------- root root ? krb5cc_0 > -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd > -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo > -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 > -r-------- apache apache ? krb5cc_48 > [rkelly@replicahostname ~]$ od /tmp/krb5cc_1599100000_CUkupo > od: /tmp/krb5cc_1599100000_CUkupo: Permission denied
hm, either your filesystem is broken or there is an issue with duplicate UIDs. Can you check if the filesystem UID matches yours: stat krb5cc_1599100000_CUkupo should show the numerial UID for the file and id will show yours. HTH bye, Sumit > > Thank You, > Rashard Kelly > SITA Senior Linux Specialist > > > > > From: Sumit Bose <[email protected]> > To: [email protected] > Cc: Alexander Bokovoy <[email protected]>, [email protected] > Date: 04/11/2014 09:54 AM > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > credentials > > > > On Fri, Apr 11, 2014 at 09:42:41AM -0400, [email protected] wrote: > > [root@replicahostname ~]# sestatus > > SELinux status: disabled > > [root@replicahostname ~]# audit2why -b -w -t avc > > [root@replicahostname ~]# > > > > > > Nothing in the audit log after audit2why came back either. > > That's odd. Can you read the file with od? > > od /tmp/krb5cc_1599100000_CUkupo > > don't send the output just check if it is readable of if od returns an > error as well? > > Are there any odd filesystem permission on your klist binary like s-bit > set? > > ls -alZ $(which klist) > > (her you can send the output :-) > > bye, > Sumit > > > > > > Thank You, > > Rashard Kelly > > > > > > > > From: Alexander Bokovoy <[email protected]> > > To: [email protected] > > Cc: Sumit Bose <[email protected]>, [email protected] > > Date: 04/11/2014 09:06 AM > > Subject: Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos > > > credentials > > > > > > > > On Fri, 11 Apr 2014, [email protected] wrote: > > >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0 > > >open("/tmp/krb5cc_1599100000_CUkupo", O_RDONLY) = -1 EACCES (Permission > > >denied) > > > > Are you sure you don't have SELinux really running and enabled? > > > > Because the following output makes me really worry: > > >> [root@replicahostname /tmp]# ll -Za > > >> drwxrwxrwt. root root system_u:object_r:tmp_t:s0 . > > >> dr-xr-xr-x. root root system_u:object_r:root_t:s0 .. > > >> -rw------- rkelly rkelly ? .bash_history > > >> drwxrwxrwt root root ? .ICE-unix > > >> drwxrwxr-x rkelly rkelly ? .ipa > > >> -r-------- root root ? krb5cc_0 > > >> -r-------- xs05144 xs05144 ? krb5cc_1599000020_u5RRhd > > >> -r-------- rkelly rkelly ? krb5cc_1599100000_CUkupo > > >> -r-------- rkelly rkelly ? krb5cc_1599100000_ZekyY0 > > These rkelly:rkelly krb5cc_* files have no SELinux label and should be > > readable to the owner. > > > > Can you show: > > > > [root] # sestatus > > [root] # audit2why -b -w -t avc > > > > > > -- > > / Alexander Bokovoy > > > > > > This document is strictly confidential and intended only for use by the > > addressee unless otherwise stated. If you are not the intended > recipient, > > please notify the sender immediately and delete it from your system. > > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > > > Click here to register http://www.sitasummit.aero > > > > > > > This document is strictly confidential and intended only for use by the > addressee unless otherwise stated. If you are not the intended recipient, > please notify the sender immediately and delete it from your system. > See you at 2014 Air Transport IT Summit, 17-19 June 2014 > > Click here to register http://www.sitasummit.aero > > _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
