#8873 Missing credential cache can raise 500 when authenticating instead of 401
Closed: fixed a year ago by frenaud. Opened a year ago by rcritten.


Discovered in PR https://github.com/freeipa/freeipa/pull/5637

The reproducer is in the test_client_doesnot_throw_responsenotready_error test in the PR.

File "/usr/share/ipa/wsgi.py", line 59, in application
  return api.Backend.wsgi_dispatch(environ, start_response)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 296, in __call__
  return self.route(environ, start_response)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 308, in route
  return app(environ, start_response)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 894, in __call__
  ccache_name = self.get_environ_creds(environ)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 672, in get_environ_creds
  creds = get_credentials_if_valid(name=gss_name,
File "/usr/lib/python3.9/site-packages/ipalib/krb_utils.py", line 199, in get_credentials_if_valid
  creds = get_credentials(name=name, ccache_name=ccache_name)
File "/usr/lib/python3.9/site-packages/ipalib/krb_utils.py", line 158, in get_credentials
  raise ValueError('"%s", ccache="%s"' % (e, ccache_name))
ValueError: "Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2598845123): No credentials cache found

It looks like even the purposefully raised exception wouldn't be handled. The caller of get_environ_creds() expects either a ccache or None.

So the right fix I think is to catch ValueError around the call to get_credentials_if_valid() and return None if caught.

Metadata Update from @rcritten:
- Issue assigned to rcritten

a year ago

This is the regression of my change.
Previously, get_credentials re-raised GSSError in case of GSSPROXY_KRB5_FCC_NOFILE error,
with that change it raise ValueError. Since apache uses gssproxy the error has been hided with gssproxy's error offset. In my opinion it will be correct to completely remove try/except and move the responsibility of handle exceptions to a caller. The only clients of get_credentials is ipalib.krb_utils.

The exception seems useful for get_principal() though it needs to be modified to handle ValueError now.


  • 51fb9d6 Catch ValueError when trying to retrieve existing credentials


  • 63d20c4 Catch ValueError when trying to retrieve existing credentials

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

under one-liner rule:

master: 33327b2
ipa-4-9: 5238651


  • 0a169b1 krb_utils: Simplify get_credentials
  • 0ebc59c gssproxy: Don't refresh expired delegated credentials


  • 700be74 krb_utils: Simplify get_credentials
  • 0fd06f3 gssproxy: Don't refresh expired delegated credentials

Login to comment on this ticket.