#5272 Unhandled GSSAPI exceptions
Closed: Fixed None Opened 8 years ago by dkupka.

  1. When the Credential cache is missing:
    {{{
    $ kdestroy
    $ ipa ping
    }}}
    Expected output:
    {{{
    ipa: ERROR: did not receive Kerberos credentials
    }}}
    Actual output:
    {{{
    Traceback (most recent call last):
    File "/usr/bin/ipa", line 32, in <module>
    cli.run(api)
    File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1340, in run
    sys.exit(api.Backend.cli.run(argv))
    File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1096, in run
    self.create_context()
    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 118, in create_context
    fallback=self.env.fallback, delegate=self.env.delegate)
    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 64, in connect
    conn = self.create_connection(args, *kw)
    File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 835, in create_connection
    principal = get_principal()
    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 172, in get_principal
    creds = get_credentials(ccache_name=ccache_name)
    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 155, in get_credentials
    return gssapi.Credentials(usage='initiate', name=name, store=store)
    File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in new
    store=store)
    File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 137, in acquire
    mechs, usage)
    File "gssapi/raw/creds.pyx", line 158, in gssapi.raw.creds.acquire_cred (gssapi/raw/creds.c:1630)
    gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): No Kerberos credentials available
    }}}

  2. When the ticket is expired:
    {{{
    $ kdestroy
    $ kinit admin -l 1m
    $ sleep 61 # wait till the ticket expires
    $ ipa ping
    }}}
    Expected:
    {{{
    ipa: ERROR: did not receive Kerberos credentials
    }}}
    Actual:
    {{{
    File "/usr/bin/ipa", line 32, in <module>
    cli.run(api)
    File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1340, in run
    sys.exit(api.Backend.cli.run(argv))
    File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1096, in run
    self.create_context()
    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 118, in create_context
    fallback=self.env.fallback, delegate=self.env.delegate)
    File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 64, in connect
    conn = self.create_connection(args, *kw)
    File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 835, in create_connection
    principal = get_principal()
    File "/usr/lib/python2.7/site-packages/ipalib/krb_utils.py", line 173, in get_principal
    return unicode(creds.name)
    File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 73, in name
    usage=False, mechs=False).name
    File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 259, in inquire
    res = rcreds.inquire_cred(self, name, lifetime, usage, mechs)
    File "gssapi/raw/creds.pyx", line 351, in gssapi.raw.creds.inquire_cred (gssapi/raw/creds.c:2967)
    gssapi.raw.exceptions.ExpiredCredentialsError: Major (720896): The referenced credential has expired, Minor (100001): Success
    }}}


Raising priority, I hit this often too.

master:

  • bdccebb Rewrap errors in get_principal to CCacheError

Metadata Update from @dkupka:
- Issue assigned to msimacek
- Issue set to the milestone: FreeIPA 4.3

7 years ago

Login to comment on this ticket.

Metadata