Re. There is no time difference between client and server.
I checked the httpd error log and saw no errors. Same with the dirsrv error logs. Any other idea ? By looking at the log, I'm wondering if this is a question of session ? See there : ### ipa: DEBUG: args=keyctl pipe 44063864 ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly ipa: DEBUG: stderr= ipa: DEBUG: found session_cookie in persistent storage for principal '<myuser>@<myrealm>', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' ipa: DEBUG: setting session_cookie into context 'ipa_session= 26a7252e4853374fc7439eae5926c584;' ### At that time, it was not yet expired but there was only a few minuts before expiration (something like 10 minuts). What is this persistent storage which is mentioned in the logs ? Best regards. Bahan On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky <mbabi...@redhat.com> wrote: > On 10/25/2016 10:27 AM, bahan w wrote: > >> Hello everyone ! >> >> I have an ipa server and an ipa client both in 3.0.0-47. >> >> In order to connect via SSH to the host of the ipa-client, I use root. >> When I'm connected to the ipa-client via ssh being root, I do a kinit of >> a user with a keytab : >> ### >> kinit -kt /etc/security/keytabs/<myuser>.headless.keytab <myuser> >> ### >> >> And sometimes, once I have the TGT, when I do just an ipa user-show, I >> got the following error : >> ### >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Ticket expired) >> ### >> >> When I check the ticket, it is not expired : >> ### >> # klist >> Ticket cache: FILE:/tmp/krb5cc_root_<myuser> >> Default principal: <myuser>@<myrealm> >> >> Valid starting Expires Service principal >> 10/25/16 10:00:44 10/26/16 10:00:44 krbtgt/<myrealm>@<myrealm> >> ### >> >> Do you know from where it can come and how I can solve this error please ? >> >> Here is more information with the debug option : >> ### >> ipa -d user-show <myuser2> >> ### >> >> Result : >> ### >> ipa: DEBUG: importing all plugin modules in >> '/usr/lib/python2.6/site-packages/ipalib/plugins'... >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py' >> ipa: DEBUG: args=klist -V >> ipa: DEBUG: stdout=Kerberos 5 version 1.10.3 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/role.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/service.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/user.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py' >> ipa: DEBUG: importing plugin module >> '/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py' >> ipa: DEBUG: args=keyctl search @s user ipa_session_cookie:<myuser>@<m >> yrealm> >> ipa: DEBUG: stdout=44063864 >> >> ipa: DEBUG: stderr= >> ipa: DEBUG: args=keyctl pipe 44063864 >> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584; >> Domain=<ipa-host>; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; >> Secure; HttpOnly >> ipa: DEBUG: stderr= >> ipa: DEBUG: found session_cookie in persistent storage for principal >> '<myuser>@<myrealm>', cookie: >> 'ipa_session=26a7252e4853374fc7439eae5926c584; Domain=<ipa-host>; >> Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT; Secure; HttpOnly' >> ipa: DEBUG: setting session_cookie into context >> 'ipa_session=26a7252e4853374fc7439eae5926c584;' >> ipa: INFO: trying https://<ipa-host>/ipa/session/xml >> ipa: DEBUG: Created connection context.xmlclient >> ipa: DEBUG: raw: user_show(u'<myuser2>', rights=False, all=False, >> raw=False, version=u'2.49', no_members=False) >> ipa: DEBUG: user_show(u'<myuser2>', rights=False, all=False, raw=False, >> version=u'2.49', no_members=False) >> ipa: INFO: Forwarding 'user_show' to server >> u'https://<ipa-host>/ipa/session/xml' >> ipa: DEBUG: NSSConnection init <ipa-host> >> ipa: DEBUG: Connecting: 10.79.28.51:0 <http://10.79.28.51:0> >> >> ipa: DEBUG: auth_certificate_callback: check_sig=True is_server=False >> Data: >> Version: 3 (0x2) >> Serial Number: 10 (0xa) >> Signature Algorithm: >> Algorithm: PKCS #1 SHA-256 With RSA Encryption >> Issuer: CN=Certificate Authority,O=<myrealm> >> Validity: >> Not Before: Mon Nov 23 13:01:37 2015 UTC >> Not After: Thu Nov 23 13:01:37 2017 UTC >> Subject: CN=<ipa-host>,O=<myrealm> >> Subject Public Key Info: >> Public Key Algorithm: >> Algorithm: PKCS #1 RSA Encryption >> RSA Public Key: >> Modulus: >> f4:df:8e:0c:39:ff:37:ba:64:90:b8:90:85:98:b9:b2: >> 8d:1f:81:3e:ce:de:84:87:51:f9:48:c1:27:8e:00:86: >> 90:d8:1c:1c:b2:d5:03:7e:29:a1:6d:f2:06:fd:26:8c: >> f5:b6:8e:80:aa:0d:47:ea:82:74:30:9b:78:34:6d:62: >> c5:ba:a6:05:3b:56:a7:b2:0a:88:35:9f:6b:cc:80:f8: >> c9:15:08:5e:6c:36:98:09:80:3f:75:e9:69:3d:c1:22: >> 22:ce:15:5f:f8:c4:a3:db:79:92:57:ae:6d:5f:82:15: >> fc:3c:c9:b6:10:58:36:71:03:91:19:cd:bb:5a:f3:9b: >> e0:4a:cf:a6:43:30:b2:71:99:56:28:3f:7f:60:b3:fc: >> e0:84:7b:cc:ef:63:b1:5d:0a:32:94:db:74:7b:a2:7c: >> 52:db:fb:12:fb:3e:14:fe:f1:9b:9c:e9:42:c2:7e:03: >> a5:1d:ab:c1:75:06:a0:b4:50:5b:27:1c:c6:5a:27:62: >> 73:74:70:22:16:03:15:dc:f3:6c:de:1d:02:d7:de:03: >> ca:1e:d1:9d:c1:25:59:84:e1:f6:b4:a0:8c:c6:b0:e0: >> 74:ce:2f:9f:50:e9:b5:d9:d5:f3:fa:7d:57:84:c3:59: >> 75:e9:6e:7d:0e:97:8b:a0:15:f2:4b:31:cc:ca:5c:45 >> Exponent: >> 65537 (0x10001) >> Signed Extensions: (5 total) >> Name: Certificate Authority Key Identifier >> Critical: False >> Key ID: >> 39:76:7e:02:f1:99:28:b5:e4:c4:a5:cb:c5:4a:7a:50: >> f7:7f:85:85 >> Serial Number: None >> General Names: [0 total] >> >> Name: Authority Information Access >> Critical: False >> Authority Information Access: [1 total] >> Info [1]: >> Method: PKIX Online Certificate Status Protocol >> Location: URI: http://<ipa-host>:80/ca/ocsp >> >> Name: Certificate Key Usage >> Critical: True >> Usages: >> Digital Signature >> Non-Repudiation >> Key Encipherment >> Data Encipherment >> >> Name: Extended Key Usage >> Critical: False >> Usages: >> TLS Web Server Authentication Certificate >> TLS Web Client Authentication Certificate >> >> Name: Certificate Subject Key ID >> Critical: False >> Data: >> 30:7d:c4:6f:01:e9:45:84:12:83:97:9c:34:42:c1:d1: >> ad:84:68:8b >> >> Signature: >> Signature Algorithm: >> Algorithm: PKCS #1 SHA-256 With RSA Encryption >> Signature: >> 99:8f:05:f4:14:64:5e:8a:b3:cc:6d:b8:b1:b1:17:1c: >> a1:28:37:da:5a:1e:17:6c:61:5d:d4:a9:52:15:0a:8c: >> bc:9d:14:35:f0:b7:1a:0c:53:fa:05:5d:fa:56:1f:ea: >> 23:be:b3:20:0a:30:dc:ae:e5:a6:4d:bf:35:4a:91:11: >> f6:fd:73:c5:55:e7:83:52:b0:f1:9b:83:c2:b3:48:ea: >> 5e:21:aa:a0:2d:fb:78:cb:35:d8:20:02:c2:1c:8d:a1: >> 8a:f5:72:81:c5:35:f5:36:3e:3e:5e:02:4b:4e:34:97: >> 0f:b6:80:e2:90:1e:f9:55:41:79:f9:78:e6:d7:43:14: >> 50:f7:39:e2:e8:7f:0a:89:95:08:94:7e:dd:ca:9d:ba: >> f8:9c:6f:24:48:5c:92:53:9d:cd:aa:91:91:6e:db:1e: >> df:54:3c:0b:ce:57:07:26:32:70:f9:ba:fd:ad:b2:7a: >> a6:1b:d1:a5:c9:30:1d:fa:f6:1d:8a:b0:71:ca:4d:9b: >> 41:2b:7c:43:80:54:a3:32:65:d8:48:fe:87:a2:15:a7: >> 14:f0:bb:f9:65:cd:7e:a9:03:a7:3c:f3:d1:73:f7:1b: >> a1:e7:51:66:39:ba:6c:a9:6d:1d:33:b0:3b:63:04:4c: >> 79:cc:16:ce:5f:9f:b1:c5:01:47:72:88:0c:e2:69:ef >> Fingerprint (MD5): >> 7c:3d:5b:37:da:62:e4:a1:da:57:e5:66:5a:f0:15:53 >> Fingerprint (SHA1): >> 2e:83:f0:14:cf:ca:c3:f5:6c:8e:fa:01:79:94:ec:90: >> 75:81:d5:0b >> ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server >> ipa: DEBUG: cert valid True for "CN=<ipa-host>,O=<myrealm>" >> ipa: DEBUG: handshake complete, peer = <IP>:443 >> ipa: DEBUG: Protocol: TLS1.2 >> ipa: DEBUG: Cipher: TLS_RSA_WITH_AES_128_CBC_SHA >> ipa: DEBUG: Caught fault 2100 from server >> https://<ipa-host>/ipa/session/xml: Insufficient access: SASL(-1): >> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may >> provide more information (Ticket expired) >> ipa: DEBUG: Destroyed connection context.xmlclient >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >> Error: Unspecified GSS failure. Minor code may provide more information >> (Ticket expired) >> ### >> >> Any guidance about where it can come from or what to do ? >> >> From the ipa-server, in the krb5kdc.log, I found sometimes this kind of >> emssage : >> ### >> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ... >> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm> >> Oct 25 09:59:37 <IPA HOST> krb5kdc[30767](info): ... >> CONSTRAINED-DELEGATION s4u-client=<myuser>@<myrealm> >> ### >> >> Best regards. >> >> Bahan >> >> >> > I would firstly check the time difference between client and IPA server. > If the time skew is too grea all sorts of errors can pop up regarding > Kerberos authentication. > > I would also check /var/log/http/error_log and > /var/log/dirsrv/slapd-<REALM>/errors for additional info. I suspect there > is something wrong with the keytab of HTTP principal on the IPA server. > > -- > Martin^3 Babinsky > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project