I set up a FreeIPA server on CentOS 6.3. I then setup a FreeIPA client on another CentOS 6.3 system. So far, so good. Then I attempted to setup a FreeIPA client on a F18 system, which has FreeIPA 3.1.0, but that fails with the error “Failed to obtain host TGT.”, and then reverts the changes.
The log file shows everything succeeding up to this point:
2012-12-25T18:21:00Z DEBUG Starting external process 2012-12-25T18:21:00Z DEBUG args=kinit mbt@IPA.NAUNETCORP.COM 2012-12-25T18:21:01Z DEBUG Process finished, return code=0 2012-12-25T18:21:01Z DEBUG stdout=Password for mbt@IPA.NAUNETCORP.COM: 2012-12-25T18:21:01Z DEBUG stderr= 2012-12-25T18:21:01Z DEBUG Starting external process 2012-12-25T18:21:01Z DEBUG args=/usr/sbin/ipa-join -s s0.ipa.naunetcorp.com -b dc=ipa,dc=naunetcorp,dc=com -h aloe.ipa.naunetcorp.com 2012-12-25T18:21:03Z DEBUG Process finished, return code=0 2012-12-25T18:21:03Z DEBUG stdout= 2012-12-25T18:21:03Z DEBUG stderr=Certificate subject base is: O=IPA.NAUNETCORP.COM 2012-12-25T18:21:03Z INFO Enrolled in IPA realm IPA.NAUNETCORP.COM 2012-12-25T18:21:03Z DEBUG Starting external process 2012-12-25T18:21:03Z DEBUG args=kdestroy 2012-12-25T18:21:03Z DEBUG Process finished, return code=0 2012-12-25T18:21:03Z DEBUG stdout= 2012-12-25T18:21:03Z DEBUG stderr= 2012-12-25T18:21:03Z DEBUG Starting external process 2012-12-25T18:21:03Z DEBUG args=/usr/bin/kinit -k -t /etc/krb5.keytab host/aloe.ipa.naunetcorp.com@IPA.NAUNETCORP.COM 2012-12-25T18:21:03Z DEBUG Process finished, return code=1 2012-12-25T18:21:03Z DEBUG stdout= 2012-12-25T18:21:03Z DEBUG stderr=kinit: Generic preauthentication failure while getting initial credentials 2012-12-25T18:21:03Z ERROR Failed to obtain host TGT.
The following also appears in the dmesg log. This appears to be as a result of the ipa-getkeytab command forked by ipa-join:
ipa-getkeytab
ipa-join
[841320.159237] ipa-getkeytab[17228]: segfault at 0 ip 00007f58ae2a51dc sp 00007fffaec7c750 error 6 in libgssapiv2.so.2.0.25[7f58ae2a2000+7000]
So what I can say for sure at this point is:
NULL
ABRT detected that Something Bad Happened™, but it was unable to submit a report as it collected no data.
I finally managed to collect a core file by running as root, and running ulimit -c unlimited. That core file will be attached momentarily. The backgrace from that file is:
ulimit -c unlimited
#0 0x00007f58ae2a51dc in sasl_gss_encode () from /usr/lib64/sasl2/libgssapiv2.so #1 0x000000389160a712 in _sasl_encodev () from /lib64/libsasl2.so.2 #2 0x000000389160caf1 in sasl_encodev () from /lib64/libsasl2.so.2 #3 0x000000389160cd1f in sasl_encode () from /lib64/libsasl2.so.2 #4 0x0000003893e165a5 in sb_sasl_cyrus_encode (p=0x838b20, buf=<optimized out>, len=<optimized out>, dst=0x838b90) at cyrus.c:165 #5 0x0000003893e1920a in sb_sasl_generic_write (sbiod=0x8389a0, buf=0x841f20, len=<optimized out>) at sasl.c:773 #6 0x0000003893a0941c in sb_debug_write (sbiod=0x834340, buf=0x841f20, len=243) at sockbuf.c:854 #7 0x0000003893a0aa70 in ber_int_sb_write (sb=sb@entry=0x82a480, buf=0x841f20, len=len@entry=243) at sockbuf.c:445 #8 0x0000003893a06b9b in ber_flush2 (sb=0x82a480, ber=0x8387d0, freeit=freeit@entry=0) at io.c:246 #9 0x0000003893e240dc in ldap_int_flush_request (ld=ld@entry=0x82a1e0, lr=0x839430) at request.c:183 #10 0x0000003893e24571 in ldap_send_server_request (ld=ld@entry=0x82a1e0, ber=ber@entry=0x8387d0, msgid=msgid@entry=4, parentreq=parentreq@entry=0x0, srvlist=srvlist@entry=0x0, lc=0x8341d0, lc@entry=0x0, bind=bind@entry=0x0, m_noconn=m_noconn@entry=0, m_res=m_res@entry=0) at request.c:402 #11 0x0000003893e247c3 in ldap_send_initial_request (ld=ld@entry=0x82a1e0, msgtype=msgtype@entry=119, dn=dn@entry=0x0, ber=ber@entry=0x8387d0, msgid=msgid@entry=4) at request.c:166 #12 0x0000003893e159c2 in ldap_extended_operation (ld=0x82a1e0, reqoid=reqoid@entry=0x405728 "2.16.840.1.113730.3.8.10.1", reqdata=reqdata@entry=0x826a40, sctrls=sctrls@entry=0x0, cctrls=cctrls@entry=0x0, msgidp=msgidp@entry=0x7fffaec7cc84) at extended.c:109 #13 0x0000000000402c7d in ldap_set_keytab (keys=0x7fffaec7cd00, bindpw=<optimized out>, binddn=0x0, princ=0x827030, principal_name=<optimized out>, servername=0x826e70 "s0.ipa.naunetcorp.com", krbctx=0x826150) at ipa-getkeytab.c:268 #14 main (argc=<optimized out>, argv=<optimized out>) at ipa-getkeytab.c:593
(Note that the stack trace is incomplete, as debuginfo-install was unable to find all of the necessary symbols to provide a quality stack trace. My apologies if this was somehow caused by my ignorance—I am new to both FreeIPA and Fedora, and particularly the rpm/yum tool stack.)
debuginfo-install
rpm
yum
Core dump from the crash. core.17228.xz
New stack trace as requested by Simo Sorce on the mailing list.
(gdb) bt full #0 0x00007f58ae2a51dc in sasl_gss_encode () from /usr/lib64/sasl2/libgssapiv2.so No symbol table info available. #1 0x000000389160a712 in _sasl_encodev () from /lib64/libsasl2.so.2 No symbol table info available. #2 0x000000389160caf1 in sasl_encodev () from /lib64/libsasl2.so.2 No symbol table info available. #3 0x000000389160cd1f in sasl_encode () from /lib64/libsasl2.so.2 No symbol table info available. #4 0x0000003893e165a5 in sb_sasl_cyrus_encode (p=0x838b20, buf=<optimized out>, len=<optimized out>, dst=0x838b90) at cyrus.c:165 sasl_context = <optimized out> ret = <optimized out> tmpsize = 0 #5 0x0000003893e1920a in sb_sasl_generic_write (sbiod=0x8389a0, buf=0x841f20, len=<optimized out>) at sasl.c:773 p = 0x838b20 ret = <optimized out> len2 = 243 __PRETTY_FUNCTION__ = "sb_sasl_generic_write" #6 0x0000003893a0941c in sb_debug_write (sbiod=0x834340, buf=0x841f20, len=243) at sockbuf.c:854 ret = <optimized out> ebuf = "\000Y\203\000\000\000\000\000p\311Ǯ\377\177\000\000\220\027\033x8\000\000\000\200\311Ǯ\377\177\000\000\340\241\202\000\000\000\000\000\302:\240\223\070\000\000\000\360\312Ǯ\377\177\000\000\302:\240\223\070\000\000\000\360\312Ǯ\377\177\000\000<<\240\223\070\000\000\000\352\000\000\000\000\000\000\000)\037\204\000\000\000\000\000\352\000\000\000\000\000\000\000\065\375\343\223\070\000\000\000\064\375\343\223\070\000\000\000>L\240\223\070\000\000" #7 0x0000003893a0aa70 in ber_int_sb_write (sb=sb@entry=0x82a480, buf=0x841f20, len=len@entry=243) at sockbuf.c:445 ret = <optimized out> __PRETTY_FUNCTION__ = "ber_int_sb_write" #8 0x0000003893a06b9b in ber_flush2 (sb=0x82a480, ber=0x8387d0, freeit=freeit@entry=0) at io.c:246 towrite = <optimized out> rc = <optimized out> __PRETTY_FUNCTION__ = "ber_flush2" #9 0x0000003893e240dc in ldap_int_flush_request (ld=ld@entry=0x82a1e0, lr=0x839430) at request.c:183 lc = 0x8341d0 #10 0x0000003893e24571 in ldap_send_server_request (ld=ld@entry=0x82a1e0, ber=ber@entry=0x8387d0, msgid=msgid@entry=4, parentreq=parentreq@entry=0x0, srvlist=srvlist@entry=0x0, lc=0x8341d0, lc@entry=0x0, bind=bind@entry=0x0, m_noconn=m_noconn@entry=0, m_res=m_res@entry=0) at request.c:402 lr = <optimized out> incparent = <optimized out> rc = 0 #11 0x0000003893e247c3 in ldap_send_initial_request (ld=ld@entry=0x82a1e0, msgtype=msgtype@entry=119, dn=dn@entry=0x0, ber=ber@entry=0x8387d0, msgid=msgid@entry=4) at request.c:166 rc = <optimized out> sd = 3 #12 0x0000003893e159c2 in ldap_extended_operation (ld=0x82a1e0, reqoid=reqoid@entry=0x405728 "2.16.840.1.113730.3.8.10.1", reqdata=reqdata@entry=0x826a40, sctrls=sctrls@entry=0x0, cctrls=cctrls@entry=0x0, msgidp=msgidp@entry=0x7fffaec7cc84) at extended.c:109 ber = 0x8387d0 rc = <optimized out> id = 4 __PRETTY_FUNCTION__ = "ldap_extended_operation" #13 0x0000000000402c7d in ldap_set_keytab (keys=0x7fffaec7cd00, bindpw=<optimized out>, binddn=0x0, princ=0x827030, principal_name=<optimized out>, servername=0x826e70 "s0.ipa.naunetcorp.com", krbctx=0x826150) at ipa-getkeytab.c:268 srvctrl = 0x0 kvno = <optimized out> tv = {tv_sec = 10, tv_usec = 0} err = 0x0 control = 0x826a40 retoid = 0x0 res = 0x0 pprc = 0x0 encs = 0x827270 version = 3 ld = 0x82a1e0 retdata = 0x0 ret = <optimized out> rc = <optimized out> i = <optimized out> rtag = <optimized out> successful_keys = 0 sctrl = 0x0 msgid = <optimized out> #14 main (argc=<optimized out>, argv=<optimized out>) at ipa-getkeytab.c:593 server = 0x826e70 "s0.ipa.naunetcorp.com" principal = 0x826f10 "host/aloe.ipa.naunetcorp.com@IPA.NAUNETCORP.COM" keytab = 0x826fb0 "/etc/krb5.keytab" enctypes_string = 0x0 binddn = 0x0 bindpw = 0x0 quiet = 0 askpass = 0 permitted_enctypes = 0 options = {{longName = 0x405515 "quiet", shortName = 113 'q', argInfo = 0, arg = 0x7fffaec7cc74, val = 0, descrip = 0x40551b "Print as little as possible", argDescrip = 0x405537 "Output only on errors"}, { longName = 0x40554d "server", shortName = 115 's', argInfo = 1, arg = 0x607380, val = 0, descrip = 0x405000 "Contact this specific KDC Server", argDescrip = 0x405554 "Server Name"}, { longName = 0x405560 "principal", shortName = 112 'p', argInfo = 1, arg = 0x607388, val = 0, descrip = 0x405028 "The principal to get a keytab for (ex: ftp/ftp.example.com@EXAMPLE.COM)", argDescrip = 0x405070 "Kerberos Service Principal Name"}, { longName = 0x4055fe "keytab", shortName = 107 'k', argInfo = 1, arg = 0x607390, val = 0, descrip = 0x405090 "File were to store the keytab information", argDescrip = 0x40556a "Keytab File Name"}, { longName = 0x4055a1 "enctypes", shortName = 101 'e', argInfo = 1, arg = 0x607398, val = 0, descrip = 0x40557b "Encryption types to request", argDescrip = 0x4050c0 "Comma separated encryption types list"}, { longName = 0x405597 "permitted-enctypes", shortName = 0 '\000', argInfo = 0, arg = 0x7fffaec7cc7c, val = 0, descrip = 0x4050e8 "Show the list of permitted encryption types and exit", argDescrip = 0x4055aa "Permitted Encryption Types"}, { longName = 0x4055e0 "password", shortName = 80 'P', argInfo = 0, arg = 0x7fffaec7cc78, val = 0, descrip = 0x405120 "Asks for a non-random password to use for the principal", argDescrip = 0x0}, {longName = 0x4055c5 "binddn", shortName = 68 'D', argInfo = 1, arg = 0x6073a0, val = 0, descrip = 0x4055cc "LDAP DN", argDescrip = 0x405158 "DN to bind as if not using kerberos"}, { longName = 0x4055d4 "bindpw", shortName = 119 'w', argInfo = 1, arg = 0x6073a8, val = 0, descrip = 0x4055db "LDAP password", argDescrip = 0x405180 "password to use if not using kerberos"}, { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x6072a0, val = 0, descrip = 0x4055e9 "Help options:", argDescrip = 0x0}, { longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} pc = <optimized out> ktname = 0x827080 "WRFILE:/etc/krb5.keytab" password = <optimized out> krbctx = 0x826150 ccache = 0x827010 uprinc = 0x827030 sprinc = 0x8270a0 krberr = <optimized out> keys = {nkeys = 4, ksdata = 0x826870} kt = <optimized out> kvno = 0 i = <optimized out> ret = <optimized out> err_msg = <optimized out>
Are there any special circumstances in your system? I tried a default ipa-server installation on CentOS 6.3 VM and client installation on recent F18 VM and I was not able to reproduce the issue you are experiencing (yet).
Server configuration:
# cat /etc/system-release CentOS release 6.3 (Final) # rpm -q ipa-server 389-ds-base krb5-server ipa-server-2.2.0-16.el6.x86_64 389-ds-base-1.2.10.2-20.el6_3.x86_64 krb5-server-1.9-33.el6_3.3.x86_64
Client installation process (vm-037.<domain> is the CentOS 6.3 server):
vm-037.<domain>
# cat /etc/system-release Fedora release 18 (Spherical Cow) # rpm -q freeipa-client freeipa-client-3.1.0-1.fc18.x86_64 # ipa-client-install --server vm-037.<domain> --domain <domain> -p admin -w PASSWORD -U Hostname: vm-037.<domain> Realm: <REALM> DNS Domain: <domain> IPA Server: vm-037.<domain> BaseDN: dc=domain,dc=com Synchronizing time with KDC... Enrolled in IPA realm <REALM> Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf ... Client configuration complete. # id admin uid=1757600000(admin) gid=1757600000(admins) groups=1757600000(admins)
Do your package versions match the versions I have?
Apparently this is just a bug in the sasl library that is not going to land in F18. Closing
Metadata Update from @mbt: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.