When using AD credentials to connect to IPA server via CLI, I'm getting following:
[root@masteripa ~]# klist Ticket cache: FILE:/tmp/krbccname2 Default principal: Administrator@AD12Y.AD12X.WEALD.VDA.LI Valid starting Expires Service principal 06.03.2014 10:25:01 06.03.2014 20:25:01 krbtgt/AD12Y.AD12X.WEALD.VDA.LI@AD12Y.AD12X.WEALD.VDA.LI renew until 07.03.2014 10:24:56 06.03.2014 10:25:03 06.03.2014 20:25:01 krbtgt/AD12X.WEALD.VDA.LI@AD12Y.AD12X.WEALD.VDA.LI renew until 07.03.2014 10:24:56 06.03.2014 10:25:03 06.03.2014 20:25:01 krbtgt/IPA.WEALD.VDA.LI@AD12X.WEALD.VDA.LI renew until 07.03.2014 10:24:56 06.03.2014 10:25:13 06.03.2014 20:25:01 host/masteripa.ipa.weald.vda.li@IPA.WEALD.VDA.LI renew until 07.03.2014 10:24:56 06.03.2014 10:53:47 06.03.2014 20:25:01 HTTP/masteripa.ipa.weald.vda.li@IPA.WEALD.VDA.LI renew until 07.03.2014 10:24:56 [root@masteripa ~]# ipa -v user-show --all --raw admin ipa: ERROR: cannot connect to 'https://masteripa.ipa.weald.vda.li/ipa/json': Internal Server Error
and in the error_log:
[Thu Mar 06 10:53:47.693081 2014] [:error] [pid 7750] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Thu Mar 06 10:53:47.693278 2014] [:error] [pid 7750] ipa: DEBUG: WSGI jsonserver_kerb.__call__: [Thu Mar 06 10:53:48.715985 2014] [:error] [pid 7750] [remote 192.168.100.179:188] mod_wsgi (pid=7750): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Thu Mar 06 10:53:48.768140 2014] [:error] [pid 7750] [remote 192.168.100.179:188] Traceback (most recent call last): [Thu Mar 06 10:53:48.768275 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/share/ipa/wsgi.py", line 49, in application [Thu Mar 06 10:53:48.768869 2014] [:error] [pid 7750] [remote 192.168.100.179:188] return api.Backend.wsgi_dispatch(environ, start_response) [Thu Mar 06 10:53:48.768895 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 249, in __call__ [Thu Mar 06 10:53:48.780353 2014] [:error] [pid 7750] [remote 192.168.100.179:188] return self.route(environ, start_response) [Thu Mar 06 10:53:48.780431 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 261, in route [Thu Mar 06 10:53:48.780496 2014] [:error] [pid 7750] [remote 192.168.100.179:188] return app(environ, start_response) [Thu Mar 06 10:53:48.780517 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 794, in __call__ [Thu Mar 06 10:53:48.780555 2014] [:error] [pid 7750] [remote 192.168.100.179:188] self.create_context(ccache=user_ccache) [Thu Mar 06 10:53:48.780585 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 114, in create_context [Thu Mar 06 10:53:48.787426 2014] [:error] [pid 7750] [remote 192.168.100.179:188] self.Backend.ldap2.connect(ccache=ccache) [Thu Mar 06 10:53:48.787496 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 63, in connect [Thu Mar 06 10:53:48.787573 2014] [:error] [pid 7750] [remote 192.168.100.179:188] conn = self.create_connection(*args, **kw) [Thu Mar 06 10:53:48.787612 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 164, in create_connection [Thu Mar 06 10:53:48.792717 2014] [:error] [pid 7750] [remote 192.168.100.179:188] conn.simple_bind_s(bind_dn, bind_pw) [Thu Mar 06 10:53:48.792768 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__ [Thu Mar 06 10:53:48.805522 2014] [:error] [pid 7750] [remote 192.168.100.179:188] self.gen.throw(type, value, traceback) [Thu Mar 06 10:53:48.805555 2014] [:error] [pid 7750] [remote 192.168.100.179:188] File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1165, in error_handler [Thu Mar 06 10:53:48.823923 2014] [:error] [pid 7750] [remote 192.168.100.179:188] raise errors.ACIError(info="%s %s" % (info, desc)) [Thu Mar 06 10:53:48.824170 2014] [:error] [pid 7750] [remote 192.168.100.179:188] ACIError: Insufficient access: SASL(-14): authorization failure: Invalid credentials
Isn't this an expected error until #3242 is fixed? Isn't error caused by DS SASL plugin which cannot bind AD users to any LDAP object?
Related ticket: #3330 (SASL Fallback plugin configuration).
Behavior is expected but server crash (instead of returning proper exception) is not what we want.
Ok. Note that this does not affect FreeIPA 3.3.x versions as the CLI still use XMLRPC and not JSONRPC to communicate with FreeIPA server:
# klist Ticket cache: FILE:/tmp/foo Default principal: Administrator@TBAD.EXAMPLE.COM Valid starting Expires Service principal 03/06/2014 07:28:52 03/06/2014 17:28:52 krbtgt/TBAD.EXAMPLE.COM@TBAD.EXAMPLE.COM renew until 03/07/2014 07:28:47 03/06/2014 07:31:25 03/06/2014 17:28:52 krbtgt/EXAMPLE.COM@TBAD.EXAMPLE.COM renew until 03/07/2014 07:28:47 03/06/2014 07:31:49 03/06/2014 17:28:52 HTTP/vm-067.example.com@EXAMPLE.COM renew until 03/07/2014 07:28:47 # ipa user-show admin ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials
Alexander, please switch on-review flag when a patch is ready. Otherwise people do not see this patch in appropriate views.
This ticket is not complete yet, moving to next month milestone.
I re-tested this issue with a latest master and I could not reproduce:
# kinit -C Administrator@tbad.idm.lab.eng.brq.redhat.com Password for Administrator@tbad.idm.lab.eng.brq.redhat.com: # klist Ticket cache: FILE:/tmp/foo Default principal: Administrator@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM Valid starting Expires Service principal 04/08/2014 16:32:36 04/09/2014 02:32:36 krbtgt/TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM@TBAD.IDM.LAB.ENG.BRQ.REDHAT.COM renew until 04/09/2014 16:32:33 # ipa -v user-show --all --raw admin ipa: INFO: trying https://ipa.mkosek-fedora20.test/ipa/json ipa: INFO: Forwarding 'user_show' to json server 'https://ipa.mkosek-fedora20.test/ipa/json' ipa: ERROR: Insufficient access: SASL(-14): authorization failure: Invalid credentials
No crash, error is propagated.
Closing as worksforme.
Metadata Update from @abbra: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.0 - 2014/04
Login to comment on this ticket.