A bit of context: A couple of days ago, while testing expired certificates, I bumped the system date by 2 years (and reset it back by running '#ntpdate 66.187.233.4'). Today, while I debugging w/ shanks, a beakrun failure of ipa-ca-install', I was trying to redo it manually, and randomly, we tried to do a 'host-find' on Master, and this is what ensued: ============================== [root@neptune ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@LAB.ENG.PNQ.REDHAT.COM Valid starting Expires Service principal 05/11/12 15:04:57 05/12/12 15:04:52 krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM 05/11/12 15:05:00 05/12/12 15:04:52 HTTP/neptune.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM [root@neptune ~]# ============================== [root@neptune ~]# ipa host-find --all ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) [root@neptune ~]# ============================== [root@neptune ~]# ipa -d host-find --all . . . ipa: DEBUG: approved_usage = SSLServer intended_usage = SSLServer ipa: DEBUG: cert valid True for "CN=neptune.lab.eng.pnq.redhat.com,O=LAB.ENG.PNQ.REDHAT.COM" ipa: DEBUG: handshake complete, peer = 10.65.201.47:443 ipa: DEBUG: Caught fault 4203 from server http://neptune.lab.eng.pnq.redhat.com/ipa/xml: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket not yet valid) [root@neptune ~]# ============================== [root@neptune ~]# cat /etc/resolv.conf search lab.eng.pnq.redhat.com nameserver 10.65.201.47 [root@neptune ~]# ============================== Martin suggested to try --delegate, and it seemed to return the entry just fine: ============================== [root@neptune ~]# ipa --delegate host-find -------------- 1 host matched -------------- Host name: neptune.lab.eng.pnq.redhat.com Principal name: host/neptune.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM SSH public key fingerprint: 0E:F1:9B:D0:A0:8E:8C:5A:BA:D7:03:EB:6B:E4:31:25 (ssh-dss), AA:6C:D2:C1:19:6F:84:A3:C2:91:C0:80:F9:D9:F7:4D (ssh-rsa) Password: False Keytab: True Managed by: neptune.lab.eng.pnq.redhat.com ---------------------------- Number of entries returned 1 ---------------------------- [root@neptune ~]# ============================== [root@neptune ~]# date Fri May 11 15:11:09 IST 2012 ============================== Then, Sumit suggested to remove the ccache files httds use to access the directory server: ============================== [root@neptune ~]# find /tmp -name 'krb5cc_48' | xargs rm ============================== => host-find now runs successfully: ============================== [root@neptune ~]# ipa host-find -------------- 1 host matched -------------- Host name: neptune.lab.eng.pnq.redhat.com Principal name: host/neptune.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM SSH public key fingerprint: 0E:F1:9B:D0:A0:8E:8C:5A:BA:D7:03:EB:6B:E4:31:25 (ssh-dss), AA:6C:D2:C1:19:6F:84:A3:C2:91:C0:80:F9:D9:F7:4D (ssh-rsa) Password: False Keytab: True Managed by: neptune.lab.eng.pnq.redhat.com ---------------------------- Number of entries returned 1 ---------------------------- [root@neptune ~]# ============================== Additional info: >From Sumit when I mentioned the date changing and resetting it back: "I still suspect that there is something wrong how apache handles the tickets. It should replace the one it has with a new one because the new one might have different authorization information."
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=821339 (Red Hat Enterprise Linux 6)
Just restart the server when you played with the time. Kerberos is sensitive to the time changes.
Metadata Update from @kashyapc: - Issue assigned to someone - Issue set to the milestone: FreeIPA 2.2.0 Documentation
Login to comment on this ticket.