RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 982291 - RHEL7 ipa-adtrust-install Outdated Kerberos credentials error
Summary: RHEL7 ipa-adtrust-install Outdated Kerberos credentials error
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: krb5
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-08 15:22 UTC by Scott Poore
Modified: 2014-06-13 09:40 UTC (History)
7 users (show)

Fixed In Version: krb5-1.11.3-4.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 09:40:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Scott Poore 2013-07-08 15:22:47 UTC 
Description of problem:

I'm seeing ipa-adtrust-install fail in RHEL7 unless I set KRB5CCNAME variable like in bug #904720 for Fedora 18.

[root@rhel7-1 ~]# klist
Ticket cache: DIR::/run/user/0/krb5cc/tktezfUZl
Default principal: admin

Valid starting       Expires              Service principal
07/03/2013 14:35:30  07/04/2013 14:35:30  krbtgt/TESTRELM.COM
[root@rhel7-1 ~]# echo $KRB5CCNAME

[root@rhel7-1 ~]# ipa-adtrust-install --netbios-name=NBEXAMPLE -a PASSWORD -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

Version-Release number of selected component (if applicable):
ipa-server-3.2.1-1.el7.x86_64


How reproducible:
always


Steps to Reproduce:
1.  Setup IPA server
2.  ipa-adtrust-install --netbios-name=NBEXAMPLE -a PASSWORD -U
3.

Actual results:
Fails with outdated credentials error listed above.

Expected results:
Works without error.

Additional info:
Setting KRB5CCNAME as described in similar bug works around the isssue.

export KRB5CCNAME=/tmp/krb5cc_$(id -u)
Comment 2 Rob Crittenden 2013-07-08 15:50:25 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3769
Comment 3 Scott Poore 2013-07-09 15:43:12 UTC 
FYI:  Just a note that this was after applying the following workaround to get ipa-server-install to work:

[root@rhel7-7 ~]#             mkdir -p     /run/user/0/krb5cc
[root@rhel7-7 ~]#             chmod -R 700 /run/user/0      

This was from this bug:  

https://bugzilla.redhat.com/show_bug.cgi?id=977972

So, when I see ipa-adtrust-install fail, that dir is in place:

[root@rhel7-7 ~]# echo $ADMINPW | kinit admin
Password for admin: 

[root@rhel7-7 ~]# ipa-adtrust-install --netbios-name=$(echo $IPA1_RELM|cut -f1 -d.) -a $ADMINPW -U

The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will setup components needed to establish trust to AD domains for
the IPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to IPA LDAP server

To accept the default shown in brackets, press the Enter key.

Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket

[root@rhel7-7 ~]# 
[root@rhel7-7 ~]# ls -ld /run/user/0/krb5cc/
drwx------. 2 root root 80 Jul  9 11:37 /run/user/0/krb5cc/
Comment 4 Martin Kosek 2013-07-15 08:36:14 UTC 
I tracked the problem down to call to ldapsearch in ipa-adtrust-install where we pass proper KRB5CCNAME and it fails:

# klist
Ticket cache: DIR::/run/user/0/krb5cc/tktB0zghY
Default principal: admin.BOS.REDHAT.COM

Valid starting       Expires              Service principal
07/15/2013 04:24:15  07/16/2013 04:24:15  krbtgt/IDM.LAB.BOS.REDHAT.COM.BOS.REDHAT.COM
07/15/2013 04:28:22  07/16/2013 04:24:15  ldap/vm-042.idm.lab.bos.redhat.com.BOS.REDHAT.COM

This works:

# ldapsearch -h `hostname` -Y GSSAPI -b "" -s base
SASL/GSSAPI authentication started
SASL username: admin.BOS.REDHAT.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF

This does not:

# KRB5CCNAME="DIR::/run/user/0/krb5cc/tktB0zghY" ldapsearch -h `hostname` -Y GSSAPI -b "" -s base
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available)


This looks like something that should work. Adding Nalin to CC to advise.
Comment 5 Alexander Bokovoy 2013-07-15 08:55:13 UTC 
This behavior of krb5 libs is know problem. I've argued few times that libkrb5 need to properly detect the case when KRB5CCNAME points to specific ccache in the collection like it prints out by itself (DIR::/run/user/0/krb5cc is ccache collection, DIR::/run/user/0/krb5c/tktB0zghY is specific ccache in the collection) and process it properly.
Comment 7 Martin Kosek 2013-07-18 16:30:10 UTC 
(In reply to Alexander Bokovoy from comment #5)
> This behavior of krb5 libs is know problem. I've argued few times that
> libkrb5 need to properly detect the case when KRB5CCNAME points to specific
> ccache in the collection like it prints out by itself
> (DIR::/run/user/0/krb5cc is ccache collection,
> DIR::/run/user/0/krb5c/tktB0zghY is specific ccache in the collection) and
> process it properly.

I tend to agree. Moving to krb5 component for consideration.
Comment 8 Patrik Kis 2013-11-07 16:03:42 UTC 
Hi Nalin,

While writing test for this case (and also for other bugs) I observed the following behavior and wanted to check with you if is ok/expected.

When the ccache is in dir the path to ccache location expects DIR:: (double colon), but if the whole collection is used only DIR: (a single colon is expected).

0 [root@rhel7 tmp.GETzcj41d6 ]# klist -A
Ticket cache: DIR::/run/user/0/krb5cc/tkt72dvAz
Default principal: bob

Valid starting       Expires              Service principal
11/07/2013 16:29:23  11/08/2013 16:29:23  krbtgt/ZMRAZ.COM
	renew until 11/07/2013 16:29:23

Ticket cache: DIR::/run/user/0/krb5cc/tkt
Default principal: alice

Valid starting       Expires              Service principal
11/07/2013 16:29:20  11/08/2013 16:29:20  krbtgt/ZMRAZ.COM
	renew until 11/07/2013 16:29:20
0 [root@rhel7 tmp.GETzcj41d6 ]# 
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR::/run/user/0/krb5cc/tkt klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt
Default principal: alice

Valid starting       Expires              Service principal
11/07/2013 16:29:20  11/08/2013 16:29:20  krbtgt/ZMRAZ.COM
	renew until 11/07/2013 16:29:20
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR::/run/user/0/krb5cc/tkt72dvAz klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt72dvAz
Default principal: bob

Valid starting       Expires              Service principal
11/07/2013 16:29:23  11/08/2013 16:29:23  krbtgt/ZMRAZ.COM
	renew until 11/07/2013 16:29:23
0 [root@rhel7 tmp.GETzcj41d6 ]# 
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR:/run/user/0/krb5cc/tkt72dvAz klist
klist: Bad format in credentials cache while getting default ccache
1 [root@rhel7 tmp.GETzcj41d6 ]# 
1 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR:/run/user/0/krb5cc klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt72dvAz
Default principal: bob

Valid starting       Expires              Service principal
11/07/2013 16:29:23  11/08/2013 16:29:23  krbtgt/ZMRAZ.COM
	renew until 11/07/2013 16:29:23
0 [root@rhel7 tmp.GETzcj41d6 ]# KRB5CCNAME=DIR::/run/user/0/krb5cc klist
klist: Credential cache name malformed while getting default ccache
1 [root@rhel7 tmp.GETzcj41d6 ]#
Comment 9 Nalin Dahyabhai 2013-11-07 18:04:15 UTC 
The root cause for this was sorted in bug #965574 - DIR: cache collections didn't work quite right, and we should have pulled the fix in around krb5-1.11.2-7 or so (the fixed-in is currently krb5-1.11.3-4.el7, which was the first build we had after that).  New-style KEYRING: cache collections shouldn't have this problem, either.
Comment 11 Ludek Smid 2014-06-13 09:40:55 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.