Bug 1471144 - msktutil fails when default_ccache_name is KEYRING
msktutil fails when default_ccache_name is KEYRING
Status: NEW
Product: Fedora EPEL
Classification: Fedora
Component: msktutil (Show other bugs)
Unspecified Linux
unspecified Severity medium
: ---
: ---
Assigned To: Ken Dreyer
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2017-07-14 09:59 EDT by Assen Totin
Modified: 2017-07-15 22:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Assen Totin 2017-07-14 09:59:08 EDT
Description of problem:
msktutil fails when default_ccache_name in krb5.conf is KEYRING. This cache mode is Linux-specific.

The default default_ccache_name for Kerberos is  FILE, but EL7 ships with a default krb5.conf that sets it to KEYRING:persistent:%{uid}. 

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Configure AD authentication (e.g., via authconfig) without joining the domain itself. Check that /etc/krb5.conf has the line 
default_ccache_name = KEYRING:persistent:%{uid}

2. Install krb5-workstation. Use kinit to obtain a ticket with a user that has domain object creation permission (e.g., as domain Administrator).

3. Use msktutil to create a machine object account and local keytab so that SSH may use GSSAPI to allow passwordless login to authorised domain users. Use verbose mode to observe the error.
msktutil -c --verbose

Actual results:
 -- try_user_creds: Error: krb5_cc_get_principal failed (No credentials cache found)
 -- try_user_creds: User ticket cache was not valid.
Error: could not find any credentials to authenticate with. Neither keytab,
     default machine password, nor calling user's tickets worked. Try
     "kinit"ing yourself some tickets with permission to create computer
     objects, or pre-creating the computer object in AD and selecting
     'reset account'.

Expected results:
Machine object is successfully created. 

Additional info:
Everything works as expected if the Kerberos cache is set to FILE (even by simply commenting out the default_ccache_name in krb5.conf). However, this is far from obvious... and it is expected that msktutil will work with every cache mode that Kerberos libraries support.
Comment 1 Ken Dreyer 2017-07-15 22:21:45 EDT
Sorry you're experiencing this issue. I've never used msktutil with anything other than a FILE cache.

Have you tried reporting this to msktutil upstream? https://github.com/msktutil/msktutil/issues

Note You need to log in before you can comment on or make changes to this bug.