=================================== FAILURES =================================== __ TestIpaHealthCheck.test_source_ipahealthcheck_ipa_host_check_ipahostkeytab __ self = <ipatests.test_integration.test_ipahealthcheck.TestIpaHealthCheck object at 0x7fceb5cf26 a0> restart_service = <function restart_service.<locals>._stop_service at 0x7fceb57379d0> def test_source_ipahealthcheck_ipa_host_check_ipahostkeytab( self, restart_service ): """ Testcase checks behaviour of check IPAHostKeytab in source ipahealthcheck.ipa.host when dirsrv service is stopped and running on IPA master """ msg = ( "Failed to obtain host TGT: Major (851968): " "Unspecified GSS failure. " "Minor code may provide more information, " "Minor (2529638972): Generic error (see e-text)" ) restart_service(self.master, "dirsrv") dirsrv_ipactl_status = 'Directory Service: STOPPED' result = self.master.run_command( ["ipactl", "status"]) returncode, data = run_healthcheck( self.master, "ipahealthcheck.ipa.host", "IPAHostKeytab", ) assert returncode == 1 if dirsrv_ipactl_status in result.stdout_text: == "ERROR" == msg E AssertionError: assert 'Failed to ob... (see e-text)' == 'Failed to ob... (see e-text)' E - Failed to obtain host TGT: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638972): Generic error (see e-text) E + Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638972): Generic error (see e-text) test_integration/test_ipahealthcheck.py:473: AssertionError
RUN ['ipa-healthcheck', '--source', 'ipahealthcheck.ipa.host', '--check', 'IPAHostKeytab', '--output-type', 'json'] [ { "source": "ipahealthcheck.ipa.host", "check": "IPAHostKeytab", "result": "ERROR", "uuid": "cb4c6b19-37ae-4835-b089-2c32244a5342", "when": "20210304053728Z", "duration": "0.004428", "kw": { "msg": "Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638972): Generic error (see e-text)" } } ] Exit code: 1
This test attempts to get initial-only credentials for a host principal using a host keytab while directory is OFF and checks the error message.
(gdb) bt #0 acquire_init_cred (cred=0x1169c40, verify=0x0, client_keytab=0x109ce00, password=0x0, req_ccache=0x12f6bf0, minor_status=0x7fff82dd6b14, context=0x11a51e0) at acquire_cred.c:762 #1 acquire_cred_context (context=0x11a51e0, minor_status=minor_status@entry=0x7fff82dd6b14, desired_name=desired_name@entry=0x11142e0, password=0x0, cred_usage=cred_usage@entry=1, ccache=0x12f6bf0, client_keytab=0x109ce00, keytab=0x0, rcname=0x0, verify=0x0, iakerb=0, output_cred_handle=0x7fff82dd6a18, time_rec=0x7fff82dd6a00, time_req=<optimized out>) at acquire_cred.c:841 #2 0x00007fab59ed5fbb in acquire_cred_from (minor_status=0x7fff82dd6b14, desired_name=0x11142e0, cred_usage=1, cred_store=0x1249ec0, iakerb=0, output_cred_handle=0x7fff82dd6a18, time_rec=0x7fff82dd6a00, actual_mechs=<optimized out>, desired_mechs=<optimized out>, time_req=<optimized out>) at acquire_cred.c:1306 #3 0x00007fab59ec276c in gss_add_cred_from (minor_status=minor_status@entry=0x7fff82dd6b14, input_cred_handle=<optimized out>, desired_name=desired_name@entry=0xfafb80, desired_mech=<optimized out>, cred_usage=cred_usage@entry=1, initiator_time_req=initiator_time_req@entry=4294967295, acceptor_time_req=<optimized out>, cred_store=0x1249ec0, output_cred_handle=0x0, actual_mechs=0x0, initiator_time_rec=0x7fff82dd6b18, acceptor_time_rec=0x7fff82dd6b1c) at g_acquire_cred.c:544 #4 0x00007fab59ec2d57 in gss_acquire_cred_from (minor_status=0x7fff82dd6bf0, desired_name=0xfafb80, time_req=4294967295, desired_mechs=0x0, cred_usage=1, cred_store=0x1249ec0, output_cred_handle=0x7fff82dd6c00, actual_mechs=0x7fff82dd6c08, time_rec=0x7fff82dd6bec) at g_acquire_cred.c:190 ... (gdb) l 762 757 758 *minor_status = 0; 759 return GSS_S_COMPLETE; 760 761 error: 762 *minor_status = code; 763 return GSS_S_NO_CRED; 764 } 765 766 static OM_uint32
Since 1.19.1 MIT kerberos returns GSS_S_NO_CRED instead of GSS_S_CRED_UNAVAIL (GSS_S_CRED_UNAVAIL currently is the same as GSS_S_FAILURE) in acquire_init_cred if no credentials corresponding to the requested name and usage could be accessed:
GSS_S_NO_CRED
GSS_S_CRED_UNAVAIL
GSS_S_FAILURE
acquire_init_cred
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8909 https://github.com/krb5/krb5/commit/eb8d2ced232e60613b461b4410f6fff3800467ab
GSS_S_NO_CRED is defined as:
#define GSS_C_ROUTINE_ERROR_OFFSET 16 ... #define GSS_S_NO_CRED (((OM_uint32) 7ul) << GSS_C_ROUTINE_ERROR_OFFSET)
[root@master1 /]# python3 -c "print(7 << 16)" 458752
So, "Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638972): Generic error (see e-text)" is correct.
"Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638972): Generic error (see e-text)"
Metadata Update from @slev: - Issue assigned to slev
PR: https://github.com/freeipa/freeipa/pull/5601
master:
ipa-4-9:
ipa-4-8:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.