4

We have a working FreeIPA installation, it's in production since February. Almost everything works as expected but when we try to run command-line FreeIPA-related tools none of them work:

[admin@ipa ~]$ kinit admin
Password for admin@EXAMPLE.COM: 
[admin@ipa ~]$ klist
Ticket cache: KEYRING:persistent:8800000
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
06/30/2014 21:19:30  07/01/2014 21:19:12  krbtgt/EXAMPLE.COM@EXAMPLE.COM
[admin@ipa ~]$ ipa pwpolicy-show global_policy
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243)
[admin@ipa ~]$

I'm not a Kerberos expert and don't really know what to check. How can we debug and resolve this?

Update: when I add -vv I get the following:

[admin@ipa ~]$ ipa -vv pwpolicy-show global_policy
ipa: INFO: trying https://ipa.example.com/ipa/xml
ipa: INFO: Forwarding 'pwpolicy_show' to server 'https://ipa.example.com/ipa/xml'
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243)
[admin@ipa ~]$

Update 2: the content of /etc/krb5.conf follows:

includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = ipa.example.com:88
  master_kdc = ipa.example.com:88
  admin_server = ipa.example.com:749
  default_domain = example.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[dbmodules]
  EXAMPLE.COM = {
    db_library = ipadb.so
  }

Update 3: This is a single-server installation, the distro is Fedora 19 and FreeIPA version is 3.3.5

Alex
  • 7,789
  • 4
  • 36
  • 51
  • What Linux distributions and versions of FreeIPA are you running, both on this server and on the KDC? – Michael Hampton Jun 30 '14 at 20:44
  • There is only a single server actually, it's Fedora 19 w/all the latest updates, so this is FreeIPA 3.3.5 – Alex Jun 30 '14 at 20:56
  • I'd start looking at `krb5kdc.log` then. – Michael Hampton Jun 30 '14 at 20:59
  • Unfortunately nothing gets added to this log when I run `ipa ...` but I noticed that `ipa` command tried to open a `/var/kerberos/krb5/user/8800000/client.keytab` file but the system did not have it. So, it looks like a keytab problem. – Alex Jun 30 '14 at 21:16
  • Yeah, your keytab should be elsewhere. I think. Have you just tried opening the web UI yourself? – Michael Hampton Jun 30 '14 at 21:17
  • 1
    Sure, and the web UI works well. – Alex Jun 30 '14 at 21:23
  • (Remember to edit the rest of the information into your question as well.) I don't like that `default_ccache_name` being set at all. It's not set in my FreeIPA installation and so my [ticket cache](http://web.mit.edu/kerberos/krb5-devel/doc/basic/ccache_def.html) is in the default location. I'd remove it. – Michael Hampton Jun 30 '14 at 21:46
  • Yes! That was it, thank you very much! Command-line tools started to work as soon as I commented out that setting. – Alex Jun 30 '14 at 22:15
  • The keyring is technically more secure. Its based off of kernel keyrings (see `man keyctl`) but I suspect its not fully supported yet as its still very new (only started to be supported in Fedora 19 as I understand it). Keyrings have scope and are not present outside of their scope. In the long run it is a better way of storing keytabs. – Matthew Ife Jun 30 '14 at 22:18
  • I've made a full answer of it, then. – Michael Hampton Jun 30 '14 at 22:22

1 Answers1

3

The main difference I see in your configuration compared to my live FreeIPA (on Fedora 20) is that I do not use the kernel keyring as a ticket cache.

 default_ccache_name = KEYRING:persistent:%{uid}

My /etc/krb5.conf does not specify this at all, so the default FILE is used. Removing this should get you going again.

As Matthew Ife indicates in a comment, the kernel keyring is more secure and will (eventually) be the way to go, but at the moment it doesn't appear to be stable enough for production use. You may wish to report this to Fedora as a bug.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • How is the kernel keyring not stable? It's been around forever (around ten years I think). Or do you just mean the krb5->keyring code? – Bratchley Mar 03 '15 at 02:47
  • @Bratchley Right, the integration between Kerberos and the kernel keyring apparently still needs work. – Michael Hampton Mar 03 '15 at 02:50
  • Fedora 19 has experimental support for KEYRING: type of ccache. In particular, there was issue that kernel parts weren't yet fully bug-free. You need to remove default_ccache_name from /etc/krb5.conf to get back to the default FILE: ccache type. At the point of release of FreeIPA 3.3 we were targeting Fedora 20 already so Fedora 19 got a backport but nobody reported this kind of a bug. Now Fedora 19 is EOL and Fedora 20+ all have properly working KEYRING: ccache type. – abbra Mar 31 '15 at 18:59
  • 2
    Well, I did not need to change anything at krb5.conf. I have just typed `kinit admin`, and entered its password. After that all ipa commands started to work as expected such as `ipa user-show ausernamehere --all`. – Junior Mayhé Jul 06 '15 at 15:41