Bug 442582 - ipa-finduser on ipa-server throws traceback listing "unspecified gssapi error"
ipa-finduser on ipa-server throws traceback listing "unspecified gssapi error"
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: 453489
  Show dependency treegraph
Reported: 2008-04-15 13:16 EDT by Michael Gregg
Modified: 2015-01-04 18:31 EST (History)
1 user (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
catch all errors when obtaining an LDAP connection. (894 bytes, patch)
2008-04-15 21:05 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Michael Gregg 2008-04-15 13:16:16 EDT
Description of problem:
In the summary and actual results section.

Version-Release number of selected component (if applicable):
install from daily build 4-14-08

How reproducible:

Actual results:
+ /usr/sbin/ipa-finduser admin
Traceback (most recent call last):
  File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 172, in _marshaled_dispatch
    response = self._dispatch(method, params)
  File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 205, in _dispatch
    ret = func(*args)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 904, in
    config = self.get_ipa_config(opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 2067, in
    config = self.get_entry_by_cn("ipaconfig", None, opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 420, in
    return self.__get_sub_entry(self.basedn, searchfilter, sattrs, opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 249, in
    return self.__get_entry(base, ldap.SCOPE_SUBTREE, searchfilter, sattrs, opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 228, in
    conn = self.getConnection(opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 190, in
    conn = _LDAPPool.getConn(self.host,port,krbccache,debug)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 84, in getConn
    conn.set_krbccache(krbccache, cprinc.name)
  File "/usr/lib/python2.4/site-packages/ipaserver/ipaldap.py", line 318, in
    self.sasl_interactive_bind_s("", sasl_auth)
  File "/usr/lib/python2.4/site-packages/ipaserver/ipaldap.py", line 175, in inner
    return f(*args, **kargs)
  File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 196, in
  File "/usr/lib/python2.4/site-packages/ipaserver/ipaldap.py", line 175, in inner
    return f(*args, **kargs)
  File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 94, in
    result = func(*args,**kwargs)
LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Unknown code krb5 7)',
'desc': 'Local error'}

+ ret=1

Expected results:

Additional info:
The "unspecified error" from gssapi is really not a good thing. Once this is
tracked down, I'd like to open a bug against GSSAPI to make this error much better.
Comment 1 Rob Crittenden 2008-04-15 19:57:02 EDT
Ok, this error translates into:

KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (Server not found in Kerberos database)

The reason for this is that the hostname was set improperly and wasn't in the
domain that the realm was set for: 


instead of


Running hostname fixed it but we need to handle this, at least the GSSAPI error.
Comment 2 Rob Crittenden 2008-04-15 21:05:28 EDT
Created attachment 302538 [details]
catch all errors when obtaining an LDAP connection.
Comment 3 Rob Crittenden 2008-04-16 00:27:45 EDT
git changeset dce800816736ec5e419f25bdede89f11c6e6ee0b
Comment 5 Michael Gregg 2008-11-19 19:19:36 EST
fixed long ago:
verified against 1.1.0-2.20081119.el5ipa

Note You need to log in before you can comment on or make changes to this bug.