Red Hat Bugzilla – Bug 470957
Bad error message if ipa-adduser run without admin ticket
Last modified: 2015-01-04 18:34:50 EST
Description of problem:
Running ipa-adduser without getting the admin Kerberos ticket results in a cryptic error message.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Log in, don't get admin's Kerberos ticket.
2. Execute ipa-useradd.
Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/Decrypt integrity check failed
A more user friendly error message that would indicate that the admin Kerberos ticket is required.
"kinit admin" is all that is needed, but the error message could be more helpful.
This error isn't related to the ticket being used. It is a pure Kerberos error essentially meaining "password incorrect." So the ticket got rejected somewhere, either when trying to get the service ticket for the IPA XML-RPC server or during the XML-RPC request.
You might get more information by adding the -v flag to ipa-adduser. You'll be able to see if it does the XML-RPC request or not.
Otherwise you'll need to check the KDC log to see if there is anything relevent there.
You might try:
If it fails with the same message, see if you have an HTTP service ticket for the IPA server.
I understand all that. The spirit of this bug report is that the error message is not helpful for normal users.
What would you suggest? I don't know that this is something an average user would be able to diagnose, requiring admin assistance, the KDC log, etc.
Would you expect every admin to understand that "Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/Decrypt integrity check failed" means "admin credentials not present?" I'm not trying to be contemptuous, but the error message that the GSSAPI library provides is terrible.
How about something like, "Could not create user because admin credentials not present, try "kinit admin"?"
Your presumption is wrong. This message does not mean that admin credentials are required.
This message means that the encryption key used to encrypt the data in this request didn't match the encryption key used for decryption, and as a result the checksum comparison didn't work. http://www.faqs.org/faqs/kerberos-faq/general/section-73.html
So further debugging is required. It has nothing to do with admin user vs non-admin user.