Bug 507401 - Invalid credentials:SASL(-14): authorization failure:
Invalid credentials:SASL(-14): authorization failure:
Status: CLOSED DUPLICATE of bug 504383
Product: freeIPA
Classification: Community
Component: ipa-admintools (Show other bugs)
2.0
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-22 12:22 EDT by Jenny Galipeau
Modified: 2015-01-04 18:39 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-23 10:17:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jenny Galipeau 2009-06-22 12:22:42 EDT
Description of problem:
Trying to perform any administration task with the lastest IPA v2.0 code results in:

Invalid credentials:SASL(-14): authorization failure:

ipa console output:

>>> api.Command.user_find(u'admin')
Traceback (most recent call last):
  File "<console>", line 1, in ?
  File "/usr/lib/python2.4/site-packages/ipalib/plugable.py", line 410, in __call__
    return self['__call__'](*args, **kw)
  File "/usr/lib/python2.4/site-packages/ipalib/frontend.py", line 398, in __call__
    result = self.run(*args, **options)
  File "/usr/lib/python2.4/site-packages/ipalib/frontend.py", line 607, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.4/site-packages/ipalib/frontend.py", line 628, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.4/site-packages/ipalib/rpc.py", line 406, in forward
    raise error(message=e.faultString)
DatabaseError: Invalid credentials:SASL(-14): authorization failure:


ipa cli output:

[root@jennyv2 ipalib]# ipa user-find admin
ipa: ERROR: Invalid credentials:SASL(-14): authorization failure:


Version-Release number of selected component (if applicable):
2.0

How reproducible:
always

Steps to Reproduce:
1. Install ipa server lastest build
2. ipa find-user admin
3.
  
Actual results:
Invalid credentials:SASL(-14): authorization failure:

Expected results:
admin user information returned

Additional info:

dirsrv access log:

[22/Jun/2009:12:14:15 -0400] conn=5 op=115 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM@BOS.REDHAT.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=115 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=116 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM@BOS.REDHAT.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=116 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=117 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM@BOS.REDHAT.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=117 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=118 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM@BOS.REDHAT.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=118 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=41 fd=85 slot=85 connection from 127.0.0.1 to 127.0.0.1
[22/Jun/2009:12:14:15 -0400] conn=5 op=119 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM@BOS.REDHAT.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=119 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=120 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/jennyv2.bos.redhat.com@BOS.REDHAT.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=120 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=41 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[22/Jun/2009:12:14:15 -0400] conn=41 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Jun/2009:12:14:15 -0400] conn=41 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[22/Jun/2009:12:14:15 -0400] conn=41 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Jun/2009:12:14:15 -0400] conn=41 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[22/Jun/2009:12:14:15 -0400] conn=41 op=2 RESULT err=49 tag=97 nentries=0 etime=0


http error log:
ipa: INFO: response: DatabaseError: Invalid credentials:SASL(-14): authorization failure:

kerberos Information:
[root@jennyv2 plugins]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@BOS.REDHAT.COM

Valid starting     Expires            Service principal
06/22/09 09:11:18  06/23/09 09:11:11  krbtgt/BOS.REDHAT.COM@BOS.REDHAT.COM
06/22/09 09:32:26  06/23/09 09:11:11  HTTP/jennyv2.bos.redhat.com@BOS.REDHAT.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
Comment 1 Jenny Galipeau 2009-06-22 16:32:51 EDT
executing ipa CLI with -d flag:

[root@jennyv2 ipa]# ipa -d user-find admin
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.4/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/aci2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/application.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/basegroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/basegroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/cert.py'
ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/config2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/defaultoptions.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/dns2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/group2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/host2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/hostgroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/join.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/netgroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/passwd2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/pwpolicy2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/rolegroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/rolegroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/service2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/taskgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/taskgroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/user2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: Created connection context.xmlclient
ipa: DEBUG: raw: user_find(u'admin', all=False)
ipa: INFO: user_find(u'admin', all=False)
ipa: INFO: Forwarding 'user_find' to server 'https://jennyv2.bos.redhat.com/ipa/xml'
ipa: DEBUG: Caught fault 4203 from server https://jennyv2.bos.redhat.com/ipa/xml: Invalid credentials:SASL(-14): authorization failure:
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: Invalid credentials:SASL(-14): authorization failure:
Comment 2 Jenny Galipeau 2009-06-23 10:17:06 EDT
Closing - bug DS issue that has already been reported.

*** This bug has been marked as a duplicate of bug 504383 ***

Note You need to log in before you can comment on or make changes to this bug.