507401 – Invalid credentials:SASL(-14): authorization failure:

Bug 507401 - Invalid credentials:SASL(-14): authorization failure:

Summary: Invalid credentials:SASL(-14): authorization failure:

Keywords:
Status:	CLOSED DUPLICATE of bug 504383
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-admintools
Sub Component:
Version:	2.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-06-22 16:22 UTC by Jenny Severance
Modified:	2015-01-04 23:39 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-06-23 14:17:06 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jenny Severance 2009-06-22 16:22:42 UTC

Description of problem:
Trying to perform any administration task with the lastest IPA v2.0 code results in:

Invalid credentials:SASL(-14): authorization failure:

ipa console output:

>>> api.Command.user_find(u'admin')
Traceback (most recent call last):
  File "<console>", line 1, in ?
  File "/usr/lib/python2.4/site-packages/ipalib/plugable.py", line 410, in __call__
    return self['__call__'](*args, **kw)
  File "/usr/lib/python2.4/site-packages/ipalib/frontend.py", line 398, in __call__
    result = self.run(*args, **options)
  File "/usr/lib/python2.4/site-packages/ipalib/frontend.py", line 607, in run
    return self.forward(*args, **options)
  File "/usr/lib/python2.4/site-packages/ipalib/frontend.py", line 628, in forward
    return self.Backend.xmlclient.forward(self.name, *args, **kw)
  File "/usr/lib/python2.4/site-packages/ipalib/rpc.py", line 406, in forward
    raise error(message=e.faultString)
DatabaseError: Invalid credentials:SASL(-14): authorization failure:


ipa cli output:

[root@jennyv2 ipalib]# ipa user-find admin
ipa: ERROR: Invalid credentials:SASL(-14): authorization failure:


Version-Release number of selected component (if applicable):
2.0

How reproducible:
always

Steps to Reproduce:
1. Install ipa server lastest build
2. ipa find-user admin
3.
  
Actual results:
Invalid credentials:SASL(-14): authorization failure:

Expected results:
admin user information returned

Additional info:

dirsrv access log:

[22/Jun/2009:12:14:15 -0400] conn=5 op=115 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=115 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=116 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=116 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=117 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=117 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=118 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=118 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=41 fd=85 slot=85 connection from 127.0.0.1 to 127.0.0.1
[22/Jun/2009:12:14:15 -0400] conn=5 op=119 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/BOS.REDHAT.COM.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=119 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=5 op=120 SRCH base="dc=bos,dc=redhat,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ldap/jennyv2.bos.redhat.com.COM))" attrs="krbPrincipalName objectClass krbPrincipalKey krbMaxRenewableAge krbMaxTicketLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference krbUPEnabled krbPwdPolicyReference krbPasswordExpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth nsAccountLock loginexpirationtime logindisabled modifyTimestamp krbLastPwdChange krbExtraData krbObjectReferences"
[22/Jun/2009:12:14:15 -0400] conn=5 op=120 RESULT err=0 tag=101 nentries=1 etime=0
[22/Jun/2009:12:14:15 -0400] conn=41 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[22/Jun/2009:12:14:15 -0400] conn=41 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Jun/2009:12:14:15 -0400] conn=41 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[22/Jun/2009:12:14:15 -0400] conn=41 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[22/Jun/2009:12:14:15 -0400] conn=41 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[22/Jun/2009:12:14:15 -0400] conn=41 op=2 RESULT err=49 tag=97 nentries=0 etime=0


http error log:
ipa: INFO: response: DatabaseError: Invalid credentials:SASL(-14): authorization failure:

kerberos Information:
[root@jennyv2 plugins]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin.COM

Valid starting     Expires            Service principal
06/22/09 09:11:18  06/23/09 09:11:11  krbtgt/BOS.REDHAT.COM.COM
06/22/09 09:32:26  06/23/09 09:11:11  HTTP/jennyv2.bos.redhat.com.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Comment 1 Jenny Severance 2009-06-22 20:32:51 UTC

executing ipa CLI with -d flag:

[root@jennyv2 ipa]# ipa -d user-find admin
ipa: DEBUG: importing all plugin modules in '/usr/lib/python2.4/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/aci2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/application.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/basegroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/basegroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/cert.py'
ipa: INFO: skipping plugin module ipalib.plugins.cert: env.enable_ra is not True
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/config2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/defaultoptions.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/dns2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/group2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/host2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/hostgroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/join.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/netgroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/passwd2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/pwpolicy2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/rolegroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/rolegroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/service2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/taskgroup.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/taskgroup2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/user2.py'
ipa: DEBUG: importing plugin module '/usr/lib/python2.4/site-packages/ipalib/plugins/xmlclient.py'
ipa: INFO: Created connection context.xmlclient
ipa: DEBUG: raw: user_find(u'admin', all=False)
ipa: INFO: user_find(u'admin', all=False)
ipa: INFO: Forwarding 'user_find' to server 'https://jennyv2.bos.redhat.com/ipa/xml'
ipa: DEBUG: Caught fault 4203 from server https://jennyv2.bos.redhat.com/ipa/xml: Invalid credentials:SASL(-14): authorization failure:
ipa: INFO: Destroyed connection context.xmlclient
ipa: ERROR: Invalid credentials:SASL(-14): authorization failure:

Comment 2 Jenny Severance 2009-06-23 14:17:06 UTC

Closing - bug DS issue that has already been reported.

*** This bug has been marked as a duplicate of bug 504383 ***

Note You need to log in before you can comment on or make changes to this bug.