Bug 977972 - kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache
kinit: Credential cache directory /run/user/0/krb5cc does not exist while get...
Status: CLOSED DUPLICATE of bug 961235
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
Depends On: 961235 985016
  Show dependency treegraph
Reported: 2013-06-25 13:14 EDT by Dean Hunter
Modified: 2013-07-16 10:54 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-26 02:48:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dean Hunter 2013-06-25 13:14:15 EDT
Description of problem:

I see bug #961235 with a description of the root cause. What is the work-around for use with IPA? I can not ssh to this virtual machine as it is in the default network and isolated. I must use a console login then "su -".

Version-Release number of selected component (if applicable):


How reproducible: Consistent

Steps to Reproduce:

1. Build a new Fedora 19 VM with the updates-testing repository disabled
2. Login through console
3. su -
4. yum install --assumeyes bind bind-dyndb-ldap freeipa-server
5. ipa-server-install ....
6. kinit admin

Actual results:

kinit: Credential cache directory /run/user/0/krb5cc does not exist while getting default ccache

Expected results:

Successful kerberos login

Additional info:
Comment 1 Martin Kosek 2013-06-25 15:05:04 EDT
Hello Dean, this really is not FreeIPA bug, so I plan to close it as duplicate to Bug 961235.

But speaking of workaround, I think you can for example update your ~/.bashrc or alternative and override system KRB5CCNAME to make it point to some directory that indeed exists, e.g.:

export KRB5CCNAME=/tmp/krb5cc_$(id -u)

Note this workaround is only temporary and will disallow you to use benefits coming from http://fedoraproject.org/wiki/Features/KRB5CacheMove. A real solution needs to come from the aforementioned Bug 961235.
Comment 2 Dean Hunter 2013-06-25 15:46:44 EDT
Yes, I know it is not a FreeIPA bug, but I need to know how y'all work-around it, whether there are particular requirements for IPA or who knows what.  The wiki article says that the KRB5 Cache Move feature is complete.  This seems to be confirmed by the behavior I experienced, except they did not cover the su/sudo use cases which is what bug #961235 seems to be about.

Since you seem to be speaking somewhat tentatively, I am guessing that you have not personally experienced this problem?
Comment 3 Martin Kosek 2013-06-26 02:48:35 EDT
I am not sure how others work around it, you can write to freeipa-devel mailing list, you may get answers or hints from more developers than just from me. But the temporary workaround I proposed above should work until bug #961235 is fixed.

Closing this Bugzilla as duplicate to Bug 961235.

*** This bug has been marked as a duplicate of bug 961235 ***
Comment 4 Dean Hunter 2013-06-26 11:51:50 EDT
This seems to work:

  if [ ! -d /run/user/0/krb5cc ]     # RedHat bug 977972
  then                               # RedHat bug 977972
    mkdir -p     /run/user/0/krb5cc  # RedHat bug 977972
    chmod -R 700 /run/user/0         # RedHat bug 977972
  fi                                 # RedHat bug 977972

  kinit admin


Note You need to log in before you can comment on or make changes to this bug.