[Freeipa-users] Re: ipa: ERROR: Major (851968): Unspecified GSS failure. - before kinit

Wed, 10 Jan 2018 07:15:50 -0800 

On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote:



On 10/01/18 13:53, Alexander Bokovoy wrote:

On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote:



On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote:

On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote:

hi


would you know if normal is below from ipa * commands, before 
kinit is done?:



ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor 
code may provide more information, Minor (2529638943): Decrypt 
integrity check failed



I remember before, tools would silently execute if a ticket 
was not there, but do not recall errors like above.

This is basically a Kerberos way to say 'your password is not 
the same
as KDC thinks it is'. Somebody did run ipa-getkeytab on the 
entry?




Could it be due to failure of auth-rpcgss-module.service to start?
In LXC without a small tweak auth-rpcgss-module.service fails.

I don't think so. Can you give more logs and context to understand 
where

this comes from?



Nope, like you thought, I also see it on a newly installed 4.5.0. on a 
bare metal. I'm on Centos 7.4
Gee.. not much context, like a say, new IPA and when I execute ipa 
commands I see that error.


$ ipa topologysegment-find

ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may 
provide more information, Minor (2529638943): Decrypt integrity check 
failed



And on that new installations, lifetime of a ticket feels weirdly 
short. I do kinit two 2 minutes later (I do nothing, no other human 
is, on the system) I get the same error again. This is all locally via 
ssh on the server.

Feel free to tell me what info, logs to get you.

So, let's start with me understanding your workflow:
1. You ssh into a host
2. You run 'ipa ...' commands

Right?

Could you show 'klist' after ssh into the host?
If there is no ticket, you need to obtain one, so kinit is due before
you'd run any 'ipa' command.

Can you provide output of:

 klist
 ipa user-show $user
 klist

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org






















					Reply via email to