Bug 977972

Summary: kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
Product: [Fedora] Fedora Reporter: Dean Hunter <deanhunter>
Component: freeipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 19CC: abokovoy, mkosek, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-26 06:48:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 961235, 985016    
Bug Blocks:    

Description Dean Hunter 2013-06-25 17:14:15 UTC
Description of problem:

I see bug #961235 with a description of the root cause. What is the work-around for use with IPA? I can not ssh to this virtual machine as it is in the default network and isolated. I must use a console login then "su -".


Version-Release number of selected component (if applicable):

freeipa-server-3.2.1-1.fc19.x86_64


How reproducible: Consistent


Steps to Reproduce:

1. Build a new Fedora 19 VM with the updates-testing repository disabled
2. Login through console
3. su -
4. yum install --assumeyes bind bind-dyndb-ldap freeipa-server
5. ipa-server-install ....
6. kinit admin


Actual results:

kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache


Expected results:

Successful kerberos login


Additional info:

Comment 1 Martin Kosek 2013-06-25 19:05:04 UTC
Hello Dean, this really is not FreeIPA bug, so I plan to close it as duplicate to Bug 961235.

But speaking of workaround, I think you can for example update your ~/.bashrc or alternative and override system KRB5CCNAME to make it point to some directory that indeed exists, e.g.:

export KRB5CCNAME=/tmp/krb5cc_$(id -u)

Note this workaround is only temporary and will disallow you to use benefits coming from http://fedoraproject.org/wiki/Features/KRB5CacheMove. A real solution needs to come from the aforementioned Bug 961235.

Comment 2 Dean Hunter 2013-06-25 19:46:44 UTC
Yes, I know it is not a FreeIPA bug, but I need to know how y'all work-around it, whether there are particular requirements for IPA or who knows what.  The wiki article says that the KRB5 Cache Move feature is complete.  This seems to be confirmed by the behavior I experienced, except they did not cover the su/sudo use cases which is what bug #961235 seems to be about.

Since you seem to be speaking somewhat tentatively, I am guessing that you have not personally experienced this problem?

Comment 3 Martin Kosek 2013-06-26 06:48:35 UTC
I am not sure how others work around it, you can write to freeipa-devel mailing list, you may get answers or hints from more developers than just from me. But the temporary workaround I proposed above should work until bug #961235 is fixed.

Closing this Bugzilla as duplicate to Bug 961235.

*** This bug has been marked as a duplicate of bug 961235 ***

Comment 4 Dean Hunter 2013-06-26 15:51:50 UTC
This seems to work:


  if [ ! -d /run/user/0/krb5cc ]     # RedHat bug 977972
  then                               # RedHat bug 977972
    mkdir -p     /run/user/0/krb5cc  # RedHat bug 977972
    chmod -R 700 /run/user/0         # RedHat bug 977972
  fi                                 # RedHat bug 977972

  kinit admin

  ....