#3186 ipa cli issues with mod_wsgi 3.4
Closed: Invalid None Opened 11 years ago by spoore.

I'm seeing this on Fedora 18 with mod_wsgi 3.4-1 when I run ipa commands without kerberos credentials:

Immediately after ipa-replica-install:

[root@f18-2 ~]# ipa group-add --desc=desc group$RANDOM
ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://f18-2.testrelm.com/ipa/xml, https://f18-1.testrelm.com/ipa/xml

[root@f18-2 ~]# ipa user-find
ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://f18-2.testrelm.com/ipa/xml, https://f18-1.testrelm.com/ipa/xml

[root@f18-2 ~]# ipa user-find
ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://f18-2.testrelm.com/ipa/xml, https://f18-1.testrelm.com/ipa/xml

And in httpd/error_log I see:

[Tue Oct 16 11:20:30.175003 2012] [auth_kerb:error] [pid 15074] [client 192.168.122.182:39460] gss_acce
pt_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Wrong principal in request), referer: https://f18-2.testrelm.com/ipa/xml
[Tue Oct 16 11:21:20.516423 2012] [auth_kerb:error] [pid 15073] [client 192.168.122.182:39462] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Wrong principal in request), referer: https://f18-2.testrelm.com/ipa/xml
[Tue Oct 16 11:21:27.382656 2012] [auth_kerb:error] [pid 15072] [client 192.168.122.182:39463] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Wrong principal in request), referer: https://f18-2.testrelm.com/ipa/xml

But, when I kinit, things work as expected:

[root@f18-2 ~]# kinit admin
Password for admin@TESTRELM.COM:

[root@f18-2 ~]# ipa group-find
----------------
4 groups matched
----------------
...output truncated...

If I kdestroy to try to test without creds, it returns expected error:

[root@f18-2 ~]# kdestroy

[root@f18-2 ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

[root@f18-2 ~]# ipa group-find
ipa: ERROR: did not receive Kerberos credentials

So, it appears to be just an issue before initial kinit to get admin.


Also, from krb5kdc.log:

Oct 16 11:20:29 f18-2.testrelm.com krb5kdc15037: AS_REQ (4 etypes {18 17 16 23}) 192.168.122.182: NEEDED_PREAUTH: HTTP/f18-2.testrelm.com@TESTRELM.COM for krbtgt/TESTRELM.COM@TESTRELM.COM, Additional pre-authentication required

Oct 16 11:20:29 f18-2.testrelm.com krb5kdc15037: AS_REQ (4 etypes {18 17 16 23}) 192.168.122.182: ISSUE: authtime 1350400829, etypes {rep=18 tkt=18 ses=18}, HTTP/f18-2.testrelm.com@TESTRELM.COM for krbtgt/TESTRELM.COM@TESTRELM.COM

Can it be that it chokes on the fact that ccache file is not created yet?

Scott, I've been unable to reproduce this. Do you know the state your machine was in when you tried this? Was this a re-install, so you could have had credentials from a previous install?

I haven't been able to reproduce this.

On a clean installation:

[root@vm-078 ~]$ ipa group-add --desc=desc group$RANDOM
ipa: ERROR: did not receive Kerberos credentials

Everything works as expected, the credentials cache file is not present:

[root@vm-078 ~]# echo $KRB5CCNAME

[root@vm-078 ~]# ls /tmp/krb5cc*
ls: cannot access /tmp/krb5cc*: No such file or directory

Version:

[root@vm-078 ~]# rpm -qa | grep wsgi
mod_wsgi-3.4-2.fc18.x86_64
[root@vm-078 ~]# rpm -qa | grep freeipa-server
freeipa-server-trust-ad-3.0.99GITeb57d47-0.fc18.x86_64
freeipa-server-3.0.99GITeb57d47-0.fc18.x86_64
freeipa-server-selinux-3.0.99GITeb57d47-0.fc18.x86_64

Doesn't look like this is still an issue.

[root@f18-2 ~]# rpm -qa|grep mod_wsgi
mod_wsgi-3.4-2.fc18.x86_64

[root@f18-2 ~]# ipa group-find
ipa: ERROR: did not receive Kerberos credentials

[root@f18-2 ~]# ipa user-find
ipa: ERROR: did not receive Kerberos credentials

[root@f18-2 ~]# ipa group-add test --desc=testgroup
ipa: ERROR: did not receive Kerberos credentials

Metadata Update from @spoore:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata