Description of problem: When testing DIR CCACHE with FreeIPA in Fedora 19 I cannot make Kerberos auth working when I use DIR CCACHE in KRB5CCNAME attribute. I am not sure what I am doing wrong: # klist Ticket cache: DIR::/run/user/0/krb5cc/tktEUNgMM Default principal: admin.BOS.REDHAT.COM Valid starting Expires Service principal 05/20/2013 11:05:09 05/21/2013 11:05:08 krbtgt/IDM.LAB.BOS.REDHAT.COM.BOS.REDHAT.COM 05/20/2013 11:17:37 05/21/2013 11:05:08 ldap/vm-119.idm.lab.bos.redhat.com.BOS.REDHAT.COM 05/21/2013 06:39:16 05/21/2013 11:05:08 HTTP/vm-119.idm.lab.bos.redhat.com.BOS.REDHAT.COM DIR ccache type works for klist: # KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM klist -c Ticket cache: DIR::/run/user/0/krb5cc/tktEUNgMM Default principal: admin.BOS.REDHAT.COM Valid starting Expires Service principal 05/20/2013 11:05:09 05/21/2013 11:05:08 krbtgt/IDM.LAB.BOS.REDHAT.COM.BOS.REDHAT.COM 05/20/2013 11:17:37 05/21/2013 11:05:08 ldap/vm-119.idm.lab.bos.redhat.com.BOS.REDHAT.COM 05/21/2013 06:39:16 05/21/2013 11:05:08 HTTP/vm-119.idm.lab.bos.redhat.com.BOS.REDHAT.COM But it does not work for other projects: # KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM ipa user-find ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243) # KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM ldapsearch -h localhost -Y GSSAPI -b cn=config -s base SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) I tested it with python-kerberos and I get the same results: # KRB5CCNAME=DIR::/run/user/0/krb5cc/tktEUNgMM python Python 2.7.5 (default, May 16 2013, 13:44:12) [GCC 4.8.0 20130412 (Red Hat 4.8.0-2)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import kerberos >>> (rc, vc) = kerberos.authGSSClientInit("HTTP.lab.bos.redhat.com", kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG) >>> kerberos.authGSSClientStep(vc, "") Traceback (most recent call last): File "<stdin>", line 1, in <module> kerberos.GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('No Kerberos credentials available', -1765328243)) >>> When using FILE type CCACHE for the same code, it works: # KRB5CCNAME=FILE:/run/user/0/krb5cc/tktEUNgMM python Python 2.7.5 (default, May 16 2013, 13:44:12) [GCC 4.8.0 20130412 (Red Hat 4.8.0-2)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import kerberos >>> (rc, vc) = kerberos.authGSSClientInit("HTTP.lab.bos.redhat.com", kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG) >>> kerberos.authGSSClientStep(vc, "") 0 >>> Version-Release number of selected component (if applicable): krb5-devel-1.11.2-5.fc19.x86_64 How reproducible: Steps to Reproduce: 1. See above 2. 3. Actual results: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available) Expected results: DIR CCACHE type can be passed and used in KRB5CCNAME attribute. We construct this type of KRB5CCCAME when Kerberos default_ccache()'s returns type "DIR" Additional info:
It's a subtle difference in the way the library has treated KRB5CCNAME values that look like "DIR:/path/to/dir" from values that look like "DIR::/path/to/file". A simpler method of checking is to run "klist -A". We can backport the upstream fix.
Note that the upstream fix treats a "DIR::" collection as if it were a "DIR:" collection with only one ccache in it, so for the sake of cases where the user will have multiple TGTs, the better longer-term plan is probably to change whatever's setting KRB5CCNAME to point to the entire directory rather than one component in it.
krb5-1.11.2-6.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-8113/krb5-1.11.2-6.fc19
Thanks Nalin for quick fix! I can confirm that this updated fixed the issue: # KRB5CCNAME=DIR::/run/user/0/krb5cc/tktyKSS4u ipa user-find -------------- 1 user matched -------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1977400000 GID: 1977400000 Account disabled: False Password: True Kerberos keys available: True ---------------------------- Number of entries returned 1 ---------------------------- Giving karma+1.
Package krb5-1.11.2-6.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing krb5-1.11.2-6.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-8113/krb5-1.11.2-6.fc19 then log in and leave karma (feedback).
krb5-1.11.2-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.