Bug 442582 - ipa-finduser on ipa-server throws traceback listing "unspecified gssapi error"
ipa-finduser on ipa-server throws traceback listing "unspecified gssapi error"
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: 453489
  Show dependency treegraph
 
Reported: 2008-04-15 13:16 EDT by Michael Gregg
Modified: 2015-01-04 18:31 EST (History)
1 user (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
catch all errors when obtaining an LDAP connection. (894 bytes, patch)
2008-04-15 21:05 EDT, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Michael Gregg 2008-04-15 13:16:16 EDT
Description of problem:
In the summary and actual results section.

Version-Release number of selected component (if applicable):
install from daily build 4-14-08

How reproducible:
unsure

Actual results:
+ /usr/sbin/ipa-finduser admin
Traceback (most recent call last):
  File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 172, in _marshaled_dispatch
    response = self._dispatch(method, params)
  File "/usr/share/ipa/ipaserver/ipaxmlrpc.py", line 205, in _dispatch
    ret = func(*args)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 904, in
find_users
    config = self.get_ipa_config(opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 2067, in
get_ipa_config
    config = self.get_entry_by_cn("ipaconfig", None, opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 420, in
get_entry_by_cn
    return self.__get_sub_entry(self.basedn, searchfilter, sattrs, opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 249, in
__get_sub_entry
    return self.__get_entry(base, ldap.SCOPE_SUBTREE, searchfilter, sattrs, opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 228, in
__get_entry
    conn = self.getConnection(opts)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 190, in
getConnection
    conn = _LDAPPool.getConn(self.host,port,krbccache,debug)
  File "/usr/lib/python2.4/site-packages/ipaserver/funcs.py", line 84, in getConn
    conn.set_krbccache(krbccache, cprinc.name)
  File "/usr/lib/python2.4/site-packages/ipaserver/ipaldap.py", line 318, in
set_krbccache
    self.sasl_interactive_bind_s("", sasl_auth)
  File "/usr/lib/python2.4/site-packages/ipaserver/ipaldap.py", line 175, in inner
    return f(*args, **kargs)
  File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 196, in
sasl_interactive_bind_s
    return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags)
  File "/usr/lib/python2.4/site-packages/ipaserver/ipaldap.py", line 175, in inner
    return f(*args, **kargs)
  File "/usr/lib64/python2.4/site-packages/ldap/ldapobject.py", line 94, in
_ldap_call
    result = func(*args,**kwargs)
LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Unknown code krb5 7)',
'desc': 'Local error'}

+ ret=1


Expected results:


Additional info:
The "unspecified error" from gssapi is really not a good thing. Once this is
tracked down, I'd like to open a bug against GSSAPI to make this error much better.
Comment 1 Rob Crittenden 2008-04-15 19:57:02 EDT
Ok, this error translates into:

KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (Server not found in Kerberos database)

The reason for this is that the hostname was set improperly and wasn't in the
domain that the realm was set for: 

iparhel5-64vm.dsqa.redhat.com

instead of

iparhel5-64vm.dsqa.sjc2.redhat.com

Running hostname fixed it but we need to handle this, at least the GSSAPI error.
Comment 2 Rob Crittenden 2008-04-15 21:05:28 EDT
Created attachment 302538 [details]
catch all errors when obtaining an LDAP connection.
Comment 3 Rob Crittenden 2008-04-16 00:27:45 EDT
git changeset dce800816736ec5e419f25bdede89f11c6e6ee0b
Comment 5 Michael Gregg 2008-11-19 19:19:36 EST
fixed long ago:
verified against 1.1.0-2.20081119.el5ipa

Note You need to log in before you can comment on or make changes to this bug.