subject:"Re\: \[Freeipa\-users\] Insufficient access\: SASL\(\-1\)\: generic failure\: GSSAPI Error\: Unspecified GSS failure. Minor code may provide more information \(Ticket expired\)"

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-27 Thread bahan w

Help ?

Best regards.

Bahan

On Tue, Oct 25, 2016 at 1:00 PM, bahan w  wrote:

> Re.
>
> There is no time difference between client and server.
>
> I checked the httpd error log and saw no errors.
> Same with the dirsrv error logs.
>
> Any other idea ?
>
> By looking at the  log, I'm wondering if this is a question of session ?
>
> See there :
> ###
> ipa: DEBUG: args=keyctl pipe 44063864
> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
> Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
> Secure; HttpOnly
> ipa: DEBUG: stderr=
> ipa: DEBUG: found session_cookie in persistent storage for principal
> '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584;
> Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
> Secure; HttpOnly'
> ipa: DEBUG: setting session_cookie into context
> 'ipa_session=26a7252e4853374fc7439eae5926c584;'
> ###
>
> At that time, it was not yet expired but there was only a few minuts
> before expiration (something like 10 minuts).
> What is this persistent storage which is mentioned in the logs ?
>
> Best regards.
>
> Bahan
>
>
>
> On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky 
> wrote:
>
>> On 10/25/2016 10:27 AM, bahan w wrote:
>>
>>> Hello everyone !
>>>
>>> I have an ipa server and an ipa client both in 3.0.0-47.
>>>
>>> In order to connect via SSH to the host of the ipa-client, I use root.
>>> When I'm connected to the ipa-client via ssh being root, I do a kinit of
>>> a user with a keytab :
>>> ###
>>> kinit -kt /etc/security/keytabs/.headless.keytab 
>>> ###
>>>
>>> And sometimes, once I have the TGT, when I do just an ipa user-show, I
>>> got the following error :
>>> ###
>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>> Error: Unspecified GSS failure.  Minor code may provide more information
>>> (Ticket expired)
>>> ###
>>>
>>> When I check the ticket, it is not expired :
>>> ###
>>> # klist
>>> Ticket cache: FILE:/tmp/krb5cc_root_
>>> Default principal: @
>>>
>>> Valid starting ExpiresService principal
>>> 10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
>>> ###
>>>
>>> Do you know from where it can come and how I can solve this error please
>>> ?
>>>
>>> Here is more information with the debug option :
>>> ###
>>> ipa -d user-show 
>>> ###
>>>
>>> Result :
>>> ###
>>> ipa: DEBUG: importing all plugin modules in
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
>>> ipa:

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread bahan w

Re.

There is no time difference between client and server.

I checked the httpd error log and saw no errors.
Same with the dirsrv error logs.

Any other idea ?

By looking at the  log, I'm wondering if this is a question of session ?

See there :
###
ipa: DEBUG: args=keyctl pipe 44063864
ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
Secure; HttpOnly
ipa: DEBUG: stderr=
ipa: DEBUG: found session_cookie in persistent storage for principal
'@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584;
Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
Secure; HttpOnly'
ipa: DEBUG: setting session_cookie into context 'ipa_session=
26a7252e4853374fc7439eae5926c584;'
###

At that time, it was not yet expired but there was only a few minuts before
expiration (something like 10 minuts).
What is this persistent storage which is mentioned in the logs ?

Best regards.

Bahan



On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky 
wrote:

> On 10/25/2016 10:27 AM, bahan w wrote:
>
>> Hello everyone !
>>
>> I have an ipa server and an ipa client both in 3.0.0-47.
>>
>> In order to connect via SSH to the host of the ipa-client, I use root.
>> When I'm connected to the ipa-client via ssh being root, I do a kinit of
>> a user with a keytab :
>> ###
>> kinit -kt /etc/security/keytabs/.headless.keytab 
>> ###
>>
>> And sometimes, once I have the TGT, when I do just an ipa user-show, I
>> got the following error :
>> ###
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>> Error: Unspecified GSS failure.  Minor code may provide more information
>> (Ticket expired)
>> ###
>>
>> When I check the ticket, it is not expired :
>> ###
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_root_
>> Default principal: @
>>
>> Valid starting ExpiresService principal
>> 10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
>> ###
>>
>> Do you know from where it can come and how I can solve this error please ?
>>
>> Here is more information with the debug option :
>> ###
>> ipa -d user-show 
>> ###
>>
>> Result :
>> ###
>> ipa: DEBUG: importing all plugin modules in
>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
>> ipa: DEBUG: importing plugin module
>>

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread Martin Babinsky


On 10/25/2016 10:27 AM, bahan w wrote:

Hello everyone !

I have an ipa server and an ipa client both in 3.0.0-47.

In order to connect via SSH to the host of the ipa-client, I use root.
When I'm connected to the ipa-client via ssh being root, I do a kinit of
a user with a keytab :
###
kinit -kt /etc/security/keytabs/.headless.keytab 
###

And sometimes, once I have the TGT, when I do just an ipa user-show, I
got the following error :
###
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more information
(Ticket expired)
###

When I check the ticket, it is not expired :
###
# klist
Ticket cache: FILE:/tmp/krb5cc_root_
Default principal: @

Valid starting ExpiresService principal
10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
###

Do you know from where it can come and how I can solve this error please ?

Here is more information with the debug option :
###
ipa -d user-show 
###

Result :
###
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: DEBUG:

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

3 matches

Site Navigation

Mail list logo

Footer information