On Fri, Apr 11, 2014 at 11:22:55AM -0400, rashard.ke...@sita.aero wrote:
> I changed the permissions to world readable to test, afterward I changed 
> it back to be readable only by the owner. The problem then reappeared.
> 
> [rkelly@replicahostname ~]$ ls -lZa| grep krb
> -r--------  root    root    ?                                krb5cc_0
> -r--------  xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> -r--------  rkelly  rkelly  ? krb5cc_1599100000_CUkupo
> -r--------  rkelly  rkelly  ? krb5cc_1599100000_ZekyY0
> -r--------  apache  apache  ?                                krb5cc_48
> [rkelly@replicahostname ~]$ od /tmp/krb5cc_1599100000_CUkupo
> od: /tmp/krb5cc_1599100000_CUkupo: Permission denied

hm, either your filesystem is broken or there is an issue with duplicate
UIDs. Can you check if the filesystem UID matches yours:

stat krb5cc_1599100000_CUkupo

should show the numerial UID for the file and

id

will show yours.

HTH

bye,
Sumit

> 
> Thank You,
> Rashard Kelly
> SITA  Senior Linux Specialist
> 
> 
> 
> 
> From:   Sumit Bose <sb...@redhat.com>
> To:     rashard.ke...@sita.aero
> Cc:     Alexander Bokovoy <aboko...@redhat.com>, freeipa-users@redhat.com
> Date:   04/11/2014 09:54 AM
> Subject:        Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos 
> credentials
> 
> 
> 
> On Fri, Apr 11, 2014 at 09:42:41AM -0400, rashard.ke...@sita.aero wrote:
> > [root@replicahostname ~]# sestatus
> > SELinux status:                 disabled
> > [root@replicahostname ~]# audit2why -b -w -t avc
> > [root@replicahostname ~]#
> > 
> > 
> > Nothing in the audit log after audit2why came back either.
> 
> That's odd. Can you read the file with od?
> 
> od /tmp/krb5cc_1599100000_CUkupo
> 
> don't send the output just check if it is readable of if od returns an
> error as well?
> 
> Are there any odd filesystem permission on your klist binary like s-bit
> set?
> 
> ls -alZ $(which klist)
> 
> (her you can send the output :-)
> 
> bye,
> Sumit
> > 
> > 
> > Thank You,
> > Rashard Kelly
> > 
> > 
> > 
> > From:   Alexander Bokovoy <aboko...@redhat.com>
> > To:     rashard.ke...@sita.aero
> > Cc:     Sumit Bose <sb...@redhat.com>, freeipa-users@redhat.com
> > Date:   04/11/2014 09:06 AM
> > Subject:        Re: [Freeipa-users] ipa: ERROR: did not receive Kerberos 
> 
> > credentials
> > 
> > 
> > 
> > On Fri, 11 Apr 2014, rashard.ke...@sita.aero wrote:
> > >futex(0x7f0e2e1462c0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
> > >open("/tmp/krb5cc_1599100000_CUkupo", O_RDONLY) = -1 EACCES (Permission
> > >denied)
> > 
> > Are you sure you don't have SELinux really running and enabled?
> > 
> > Because the following output makes me really worry:
> > >> [root@replicahostname /tmp]# ll -Za
> > >> drwxrwxrwt. root    root    system_u:object_r:tmp_t:s0       .
> > >> dr-xr-xr-x. root    root    system_u:object_r:root_t:s0      ..
> > >> -rw-------  rkelly  rkelly  ? .bash_history
> > >> drwxrwxrwt  root    root    ? .ICE-unix
> > >> drwxrwxr-x  rkelly  rkelly  ?                                .ipa
> > >> -r--------  root    root    ?                                krb5cc_0
> > >> -r--------  xs05144 xs05144 ? krb5cc_1599000020_u5RRhd
> > >> -r--------  rkelly  rkelly  ? krb5cc_1599100000_CUkupo
> > >> -r--------  rkelly  rkelly  ? krb5cc_1599100000_ZekyY0
> > These rkelly:rkelly krb5cc_* files have no SELinux label and should be
> > readable to the owner.
> > 
> > Can you show:
> > 
> > [root] # sestatus
> > [root] # audit2why -b -w -t avc
> > 
> > 
> > -- 
> > / Alexander Bokovoy
> > 
> > 
> > This document is strictly confidential and intended only for use by the
> > addressee unless otherwise stated.  If you are not the intended 
> recipient,
> > please notify the sender immediately and delete it from your system.
> > See you at 2014 Air Transport IT Summit, 17-19 June 2014
> > 
> > Click here to register  http://www.sitasummit.aero
> > 
> > 
> 
> 
> This document is strictly confidential and intended only for use by the
> addressee unless otherwise stated.  If you are not the intended recipient,
> please notify the sender immediately and delete it from your system.
> See you at 2014 Air Transport IT Summit, 17-19 June 2014
> 
> Click here to register  http://www.sitasummit.aero
> 
> 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to