#6698 User with ticket gets GSS failure when calling freeipa CLI command
Closed: fixed 2 years ago Opened 2 years ago by dkupka.

Steps to reproduce:

# ipa-server-install -a Secret123 -p Secret123 --domain $(hostname -d) --realm $(hostname -d | tr [:lower:] [:upper:]) -U
# echo Secret123 | kinit admin
# ipa ping

Expected result:

-----------------------------------------------------------------------
IPA server version 4.4.90.dev201702221433+git908d2ea. API version 2.218
-----------------------------------------------------------------------

Actual result:

ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2598845123): No credentials cache found

Additional info:

  • ccache for principal admin@$REALM is missing in /var/run/ipa/ccaches.
  • when host keytab is used to obtain ticket the ccache is created and everything works.
  • so far this issue was observed only in development virtual lab. Contact dkupka (reporter) for reproducer.

This broke also Web UI's forms based auth (I did not try kerb auth).

But update to gssproxy-0.6.2-1.fc25 fixed the issue for me: https://koji.fedoraproject.org/koji/buildinfo?buildID=861532

Yes I committed a fix to gssproxy and we released a package explicitly to fix this issue in Fedora.
We should put in a patch to up the minimum gssproxy version in freeipa.spec.in

Metadata Update from @dkupka:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

2 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field tester adjusted to wanted
- Issue assigned to dkupka (was: someone)
- Issue close_status updated to: None

2 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/511

2 years ago

Metadata Update from @pvoborni:
- Custom field affects_doc reset
- Issue priority set to: 1 (was: 3)
- Issue set to the milestone: FreeIPA 4.5 (was: 0.0 NEEDS_TRIAGE)

2 years ago

master:

  • c37254e Bump required version of gssproxy to 0.7.0

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata