[Freeipa-users] gssproxy kerberos cache with no tickets

Brian J. Murrell via FreeIPA-users Sat, 05 Feb 2022 08:16:35 -0800

I am still trying to debug why the webUI on my new replica is not
authenticating me.


One difference I have noticed between my two replicas, one working and
one not is:

working replica:

# KRB5RCACHEDIR=/var/lib/gssproxy/rcache klist
Ticket cache: KCM:0
Default principal: [email protected]

Valid starting       Expires              Service principal
2022-02-04 08:58:59  2022-02-05 08:58:56  krbtgt/[email protected]
2022-02-04 08:59:03  2022-02-05 08:58:56  
HTTP/[email protected]

Non-working replica:

# KRB5RCACHEDIR=/var/lib/gssproxy/rcache klist
Ticket cache: KEYRING:persistent:0:krb_ccache_AunlIbq
Default principal: host/[email protected]

Valid starting       Expires              Service principal
1969-12-31 19:00:00  1969-12-31 19:00:00  Encrypted/Credentials/v1@X-GSSPROXY:

What could cause the latter to not be getting any tickets like the
former is?

FWIW, the difference in ticket cache type appears to be due to:

# cat /etc/krb5.conf.d/kcm_default_ccache
# This file should normally be installed by your distribution into a
# directory that is included from the Kerberos configuration file 
(/etc/krb5.conf)
# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/
#
# To enable the KCM credential cache enable the KCM socket and the service:
#   systemctl enable sssd-secrets.socket sssd-kcm.socket
#   systemctl start sssd-kcm.socket
#
# To disable the KCM credential cache, comment out the following lines.

[libdefaults]
    default_ccache_name = KCM:

which is due to sssd-kcm-2.4.0-9.el8_4.2.x86_64 being installed on the
working replica and not on the non-working replica.

Maybe this is a big red herring though?

Ultimately gssproxy is reporting the following when I try to log on to
the webUI:

[2022/02/05 16:08:51]: Debug Enabled (level: 3)
[2022/02/05 16:08:51]: Service: ipa-httpd, Keytab: 
/var/lib/ipa/gssproxy/http.keytab, Enctype: 18
[2022/02/05 16:08:51]: Service: ipa-api, Keytab: 
/var/lib/ipa/gssproxy/http.keytab, Enctype: 18
[2022/02/05 16:08:51]: Service: ipa-sweeper, Keytab: 
/var/lib/ipa/gssproxy/http.keytab, Enctype: 18
[2022/02/05 16:08:51]: Service: nfs-server, Keytab: /etc/krb5.keytab, Enctype: 
18
[2022/02/05 16:08:51]: Service: nfs-client, Keytab: /etc/krb5.keytab, Enctype: 
18
[2022/02/05 16:08:51]: Client [2022/02/05 16:08:51]: (/usr/sbin/gssproxy) 
[2022/02/05 16:08:51]:  connected (fd = 14)[2022/02/05 16:08:51]:  (pid = 8306) 
(uid = 0) (gid = 0)[2022/02/05 16:08:51]:  (context = 
system_u:system_r:kernel_t:s0)[2022/02/05 16:08:51]:
[2022/02/05 16:08:59]: Client [2022/02/05 16:08:59]: (/usr/sbin/httpd) 
[2022/02/05 16:08:59]:  connected (fd = 15)[2022/02/05 16:08:59]:  (pid = 4266) 
(uid = 977) (gid = 973)[2022/02/05 16:08:59]:  (context = 
system_u:system_r:httpd_t:s0)[2022/02/05 16:08:59]:
[CID 15][2022/02/05 16:08:59]: [status] Handling query input: 0x55f111269810 
(176)
[CID 15][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 15][2022/02/05 16:08:59]: [status] Processing request [0x55f111269810 
(176)]
[CID 15][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) 
from [0x55f111269810 (176)]
[CID 15][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "ipa-api", euid: 977,socket: (null)
    GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: <Null> 
add_cred: 0 desired_name: { "[email protected]" { 1 2 840 113554 1 2 2 1 } [  ] 
[  ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } 
cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
    GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 
"Unspecified GSS failure.  Minor code may provide more information" "No 
credentials cache found" [  ] } output_cred_handle: <Null> )
[CID 15][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) 
from [0x55f111269810 (176)]: [0x7fdf7c08a880 (176)]
[CID 15][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c08a880 
(176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c08a880 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c08a880 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c08a880 (176)]: successful 
write of 176
[CID 15][2022/02/05 16:08:59]: [status] Handling query input: 0x7fdf7c08a880 
(176)
[CID 15][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 15][2022/02/05 16:08:59]: [status] Processing request [0x7fdf7c08a880 
(176)]
[CID 15][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) 
from [0x7fdf7c08a880 (176)]
[CID 15][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "ipa-api", euid: 977,socket: (null)
    GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: <Null> 
add_cred: 0 desired_name: { "[email protected]" { 1 2 840 113554 1 2 2 1 } [  ] 
[  ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } 
cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
    GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 
"Unspecified GSS failure.  Minor code may provide more information" "No 
credentials cache found" [  ] } output_cred_handle: <Null> )
[CID 15][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) 
from [0x7fdf7c08a880 (176)]: [0x7fdf7c066260 (176)]
[CID 15][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c066260 
(176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c066260 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c066260 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c066260 (176)]: successful 
write of 176
[2022/02/05 16:08:59]: Client [2022/02/05 16:08:59]: (/usr/sbin/httpd) 
[2022/02/05 16:08:59]:  connected (fd = 16)[2022/02/05 16:08:59]:  (pid = 4268) 
(uid = 977) (gid = 973)[2022/02/05 16:08:59]:  (context = 
system_u:system_r:httpd_t:s0)[2022/02/05 16:08:59]:
[CID 16][2022/02/05 16:08:59]: [status] Handling query input: 0x7fdf7c066260 
(176)
[CID 16][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 16][2022/02/05 16:08:59]: [status] Processing request [0x7fdf7c066260 
(176)]
[CID 16][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) 
from [0x7fdf7c066260 (176)]
[CID 16][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "ipa-api", euid: 977,socket: (null)
    GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: <Null> 
add_cred: 0 desired_name: { "[email protected]" { 1 2 840 113554 1 2 2 1 } [  ] 
[  ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } 
cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
    GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 
"Unspecified GSS failure.  Minor code may provide more information" "No 
credentials cache found" [  ] } output_cred_handle: <Null> )
[CID 16][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) 
from [0x7fdf7c066260 (176)]: [0x7fdf7c05c9e0 (176)]
[CID 16][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c05c9e0 
(176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c05c9e0 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c05c9e0 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c05c9e0 (176)]: successful 
write of 176
[CID 16][2022/02/05 16:08:59]: [status] Handling query input: 0x7fdf7c05c9e0 
(176)
[CID 16][2022/02/05 16:08:59]: Connection matched service ipa-api
[CID 16][2022/02/05 16:08:59]: [status] Processing request [0x7fdf7c05c9e0 
(176)]
[CID 16][2022/02/05 16:08:59]: [status] Executing request 6 (GSSX_ACQUIRE_CRED) 
from [0x7fdf7c05c9e0 (176)]
[CID 16][2022/02/05 16:08:59]: gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) 
for service "ipa-api", euid: 977,socket: (null)
    GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [  ] } input_cred_handle: <Null> 
add_cred: 0 desired_name: { "[email protected]" { 1 2 840 113554 1 2 2 1 } [  ] 
[  ] [ ] } time_req: 4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } 
cred_usage: INITIATE initiator_time_req: 0 acceptor_time_req: 0 )
    GSSX_RES_ACQUIRE_CRED( status: { 851968 { 1 2 840 113554 1 2 2 } 2529639107 
"Unspecified GSS failure.  Minor code may provide more information" "No 
credentials cache found" [  ] } output_cred_handle: <Null> )
[CID 16][2022/02/05 16:08:59]: [status] Returned buffer 6 (GSSX_ACQUIRE_CRED) 
from [0x7fdf7c05c9e0 (176)]: [0x7fdf7c03f690 (176)]
[CID 16][2022/02/05 16:08:59]: [status] Handling query output: 0x7fdf7c03f690 
(176)
[2022/02/05 16:08:59]: [status] Handling query reply: 0x7fdf7c03f690 (176)
[2022/02/05 16:08:59]: [status] Sending data: 0x7fdf7c03f690 (176)
[2022/02/05 16:08:59]: [status] Sending data [0x7fdf7c03f690 (176)]: successful 
write of 176

Cheers,
b.

signature.asc
Description: This is a digitally signed message part

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

[Freeipa-users] gssproxy kerberos cache with no tickets

Reply via email to