Bug 470957

Summary: Bad error message if ipa-adduser run without admin ticket
Product: [Retired] freeIPA Reporter: W. Michael Petullo <mike>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED NOTABUG QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: low    
Version: 1.1CC: benl, dpal, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-12 19:36:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 431020    

Description W. Michael Petullo 2008-11-11 03:55:01 UTC 
Description of problem:
Running ipa-adduser without getting the admin Kerberos ticket results in a cryptic error message.

Version-Release number of selected component (if applicable):
ipa-admintools-1.1.0-7.fc9.i386

How reproducible:
Every time

Steps to Reproduce:
1. Log in, don't get admin's Kerberos ticket.
2. Execute ipa-useradd.
  
Actual results:
Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may provide more information/Decrypt integrity check failed

Expected results:
A more user friendly error message that would indicate that the admin Kerberos ticket is required.

Additional info:
"kinit admin" is all that is needed, but the error message could be more helpful.
Comment 1 Rob Crittenden 2008-11-11 13:59:17 UTC 
This error isn't related to the ticket being used. It is a pure Kerberos error essentially meaining "password incorrect." So the ticket got rejected somewhere, either when trying to get the service ticket for the IPA XML-RPC server or during the XML-RPC request.

You might get more information by adding the -v flag to ipa-adduser. You'll be able to see if it does the XML-RPC request or not.

Otherwise you'll need to check the KDC log to see if there is anything relevent there.

You might try:

kdestroy
kinit user@REALM
ipa-adduser ...

If it fails with the same message, see if you have an HTTP service ticket for the IPA server.
Comment 2 W. Michael Petullo 2008-11-11 14:50:08 UTC 
I understand all that. The spirit of this bug report is that the error message is not helpful for normal users.
Comment 3 Rob Crittenden 2008-11-11 14:57:26 UTC 
What would you suggest? I don't know that this is something an average user would be able to diagnose, requiring admin assistance, the KDC log, etc.
Comment 4 W. Michael Petullo 2008-11-11 23:18:35 UTC 
Would you expect every admin to understand that "Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may provide more information/Decrypt integrity check failed" means "admin credentials not present?" I'm not trying to be contemptuous, but the error message that the GSSAPI library provides is terrible.

How about something like, "Could not create user because admin credentials not present, try "kinit admin"?"
Comment 5 Rob Crittenden 2008-11-12 14:45:30 UTC 
Your presumption is wrong. This message does not mean that admin credentials are required.

This message means that the encryption key used to encrypt the data in this request didn't match the encryption key used for decryption, and as a result the checksum comparison didn't work. http://www.faqs.org/faqs/kerberos-faq/general/section-73.html

So further debugging is required. It has nothing to do with admin user vs non-admin user.