On Thu, 10 Apr 2014, rashard.ke...@sita.aero wrote:
Hello all
When I try to execute and commands from the an ipa-replica I get
[rkelly@replicahostname ~]$ ipa user-find
ipa: ERROR: did not receive Kerberos credentials
[rkelly@replicahostname ~]$ kinit
Password for rke...@ipa2.dc.sita.aero:
[rkelly@replicahostname ~]$ ipa user-find
ipa: ERROR: did not receive Kerberos credentials
[rkelly@replicahostname ~]$ klist
klist: Credentials cache permissions incorrect while setting cache flags
(ticket cache FILE:/tmp/krb5cc_1599100000_qojy7v)
I thought perhaps the two are out of sync
[root@replicahostname ~]# ipa-replica-manage re-initialize --from
liipaxs010p.ipa2.dc.sita.aero
Invalid password
ipa-replica-conncheck says communication is ok.
I looked at the httpd, secure,and krb log and none show any activity when
I execute the commands above. Im lost any clues as to where I can look for
answers?
Let's put IPA commands aside and first find out what's wrong with your
Kerberos infra. Looking at your ticket cache file name
(FILE:/tmp/krb5cc_1599100000_qojy7v) I assume you have come to this
machine via SSH and the ticket cache is created by the sshd or sssd.
The message you received out of klist is shown if ccache file is either:
- unaccessible for the user
- is a directory rather than a file
- is a broken symlink
- blocked by some app with explusive locks
- cannot be open for a write
Please provide output of
$ cat /proc/mounts | grep /tmp
$ echo $KRB5CCNAME
$ ls -lZ /tmp/krb5cc_1599100000_qojy7v
$ KRB5_TRACE=/dev/stderr kinit
$ KRB5_TRACE=/dev/stderr klist
You can temporarily overcome this issue by selecting a different ticket
cache by setting KRB5CCNAME environmental variable:
$ export KRB5CCNAME=$HOME/.krb5cc
$ kinit
$ ipa user-find
...
However, it would be good to solve the issue to avoid repeating these problems
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
