Bug 470957 - Bad error message if ipa-adduser run without admin ticket
Bad error message if ipa-adduser run without admin ticket
Product: freeIPA
Classification: Community
Component: ipa-admintools (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
Depends On:
Blocks: 431020
  Show dependency treegraph
Reported: 2008-11-10 22:55 EST by W. Michael Petullo
Modified: 2015-01-04 18:34 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-12 14:36:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2008-11-10 22:55:01 EST
Description of problem:
Running ipa-adduser without getting the admin Kerberos ticket results in a cryptic error message.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Log in, don't get admin's Kerberos ticket.
2. Execute ipa-useradd.
Actual results:
Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may provide more information/Decrypt integrity check failed

Expected results:
A more user friendly error message that would indicate that the admin Kerberos ticket is required.

Additional info:
"kinit admin" is all that is needed, but the error message could be more helpful.
Comment 1 Rob Crittenden 2008-11-11 08:59:17 EST
This error isn't related to the ticket being used. It is a pure Kerberos error essentially meaining "password incorrect." So the ticket got rejected somewhere, either when trying to get the service ticket for the IPA XML-RPC server or during the XML-RPC request.

You might get more information by adding the -v flag to ipa-adduser. You'll be able to see if it does the XML-RPC request or not.

Otherwise you'll need to check the KDC log to see if there is anything relevent there.

You might try:

kinit user@REALM
ipa-adduser ...

If it fails with the same message, see if you have an HTTP service ticket for the IPA server.
Comment 2 W. Michael Petullo 2008-11-11 09:50:08 EST
I understand all that. The spirit of this bug report is that the error message is not helpful for normal users.
Comment 3 Rob Crittenden 2008-11-11 09:57:26 EST
What would you suggest? I don't know that this is something an average user would be able to diagnose, requiring admin assistance, the KDC log, etc.
Comment 4 W. Michael Petullo 2008-11-11 18:18:35 EST
Would you expect every admin to understand that "Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may provide more information/Decrypt integrity check failed" means "admin credentials not present?" I'm not trying to be contemptuous, but the error message that the GSSAPI library provides is terrible.

How about something like, "Could not create user because admin credentials not present, try "kinit admin"?"
Comment 5 Rob Crittenden 2008-11-12 09:45:30 EST
Your presumption is wrong. This message does not mean that admin credentials are required.

This message means that the encryption key used to encrypt the data in this request didn't match the encryption key used for decryption, and as a result the checksum comparison didn't work. http://www.faqs.org/faqs/kerberos-faq/general/section-73.html

So further debugging is required. It has nothing to do with admin user vs non-admin user.

Note You need to log in before you can comment on or make changes to this bug.