On Thu, 10 Apr 2014, rashard.ke...@sita.aero wrote:
Hello all

When I try to execute and commands from the an ipa-replica I get

[rkelly@replicahostname ~]$ ipa user-find
ipa: ERROR: did not receive Kerberos credentials
[rkelly@replicahostname ~]$ kinit
Password for rke...@ipa2.dc.sita.aero:
[rkelly@replicahostname ~]$ ipa user-find
ipa: ERROR: did not receive Kerberos credentials
[rkelly@replicahostname ~]$ klist
klist: Credentials cache permissions incorrect while setting cache flags
(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v)

I thought perhaps the two are out of sync
[root@replicahostname ~]# ipa-replica-manage re-initialize --from
Invalid password

ipa-replica-conncheck says communication is ok.

I looked at the httpd, secure,and krb log and none show any activity when
I execute the commands above. Im lost any clues as to where I can look for
Let's put IPA commands aside and first find out what's wrong with your
Kerberos infra. Looking at your ticket cache file name
(FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this
machine via SSH and the ticket cache is created by the sshd or sssd.

The message you received out of klist is shown if ccache file is either:
 - unaccessible for the user
 - is a directory rather than a file
 - is a broken symlink
 - blocked by some app with explusive locks
 - cannot be open for a write

Please provide output of $ cat /proc/mounts | grep /tmp
$ echo $KRB5CCNAME
$ ls -lZ /tmp/krb5cc_1599100000_qojy7v
$ KRB5_TRACE=/dev/stderr kinit
$ KRB5_TRACE=/dev/stderr klist

You can temporarily overcome this issue by selecting a different ticket
cache by setting KRB5CCNAME environmental variable:

$ export KRB5CCNAME=$HOME/.krb5cc
$ kinit
$ ipa user-find

However, it would be good to solve the issue to avoid repeating these problems

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to