I'm seeing this on Fedora 18 with mod_wsgi 3.4-1 when I run ipa commands without kerberos credentials:
Immediately after ipa-replica-install:
[root@f18-2 ~]# ipa group-add --desc=desc group$RANDOM ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://f18-2.testrelm.com/ipa/xml, https://f18-1.testrelm.com/ipa/xml [root@f18-2 ~]# ipa user-find ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://f18-2.testrelm.com/ipa/xml, https://f18-1.testrelm.com/ipa/xml [root@f18-2 ~]# ipa user-find ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://f18-2.testrelm.com/ipa/xml, https://f18-1.testrelm.com/ipa/xml
And in httpd/error_log I see:
[Tue Oct 16 11:20:30.175003 2012] [auth_kerb:error] [pid 15074] [client 192.168.122.182:39460] gss_acce pt_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Wrong principal in request), referer: https://f18-2.testrelm.com/ipa/xml [Tue Oct 16 11:21:20.516423 2012] [auth_kerb:error] [pid 15073] [client 192.168.122.182:39462] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Wrong principal in request), referer: https://f18-2.testrelm.com/ipa/xml [Tue Oct 16 11:21:27.382656 2012] [auth_kerb:error] [pid 15072] [client 192.168.122.182:39463] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Wrong principal in request), referer: https://f18-2.testrelm.com/ipa/xml
But, when I kinit, things work as expected:
[root@f18-2 ~]# kinit admin Password for admin@TESTRELM.COM: [root@f18-2 ~]# ipa group-find ---------------- 4 groups matched ---------------- ...output truncated...
If I kdestroy to try to test without creds, it returns expected error:
[root@f18-2 ~]# kdestroy [root@f18-2 ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) [root@f18-2 ~]# ipa group-find ipa: ERROR: did not receive Kerberos credentials
So, it appears to be just an issue before initial kinit to get admin.
Also, from krb5kdc.log:
Oct 16 11:20:29 f18-2.testrelm.com krb5kdc15037: AS_REQ (4 etypes {18 17 16 23}) 192.168.122.182: NEEDED_PREAUTH: HTTP/f18-2.testrelm.com@TESTRELM.COM for krbtgt/TESTRELM.COM@TESTRELM.COM, Additional pre-authentication required
Oct 16 11:20:29 f18-2.testrelm.com krb5kdc15037: AS_REQ (4 etypes {18 17 16 23}) 192.168.122.182: ISSUE: authtime 1350400829, etypes {rep=18 tkt=18 ses=18}, HTTP/f18-2.testrelm.com@TESTRELM.COM for krbtgt/TESTRELM.COM@TESTRELM.COM
Can it be that it chokes on the fact that ccache file is not created yet?
Scott, I've been unable to reproduce this. Do you know the state your machine was in when you tried this? Was this a re-install, so you could have had credentials from a previous install?
I haven't been able to reproduce this.
On a clean installation:
[root@vm-078 ~]$ ipa group-add --desc=desc group$RANDOM ipa: ERROR: did not receive Kerberos credentials
Everything works as expected, the credentials cache file is not present:
[root@vm-078 ~]# echo $KRB5CCNAME [root@vm-078 ~]# ls /tmp/krb5cc* ls: cannot access /tmp/krb5cc*: No such file or directory
Version:
[root@vm-078 ~]# rpm -qa | grep wsgi mod_wsgi-3.4-2.fc18.x86_64 [root@vm-078 ~]# rpm -qa | grep freeipa-server freeipa-server-trust-ad-3.0.99GITeb57d47-0.fc18.x86_64 freeipa-server-3.0.99GITeb57d47-0.fc18.x86_64 freeipa-server-selinux-3.0.99GITeb57d47-0.fc18.x86_64
Doesn't look like this is still an issue.
[root@f18-2 ~]# rpm -qa|grep mod_wsgi mod_wsgi-3.4-2.fc18.x86_64
[root@f18-2 ~]# ipa group-find ipa: ERROR: did not receive Kerberos credentials
[root@f18-2 ~]# ipa user-find ipa: ERROR: did not receive Kerberos credentials
[root@f18-2 ~]# ipa group-add test --desc=testgroup ipa: ERROR: did not receive Kerberos credentials
Metadata Update from @spoore: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Login to comment on this ticket.