[Freeipa-devel] Strange issue I keep hitting with invalid tickets
Simo Sorce
simo at redhat.com
Wed Aug 1 14:37:23 UTC 2012
On Tue, 2012-07-31 at 14:50 -0700, Michael Gregg wrote:
> I am not sure why, but when I let my ipa machines sit around for a
> while(overnight-24hours), and then kinit. When I try to run IPA commands
> I get output like this:
>
> [root at zippyvm12 ~]# ipa host-find
> ipa: ERROR: Local error: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Ticket not yet valid)
>
> This issue seems to be addressed here:
>
> https://access.redhat.com/knowledge/solutions/133433
>
> It's strange, because when I kinit again, I seem to have a valid
> credentials, like here:
>
> [root at zippyvm12 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at TESTRELM.COM
> Valid starting Expires Service principal
> 07/31/12 17:31:16 08/01/12 17:31:14 krbtgt/TESTRELM.COM at TESTRELM.COM
> 07/31/12 17:32:39 08/01/12 17:31:14
> HTTP/zippyvm12.testrelm.com at TESTRELM.COM
>
>
> The work around for me seems to be deleting /tmp/krb5*
> Then, I kinit again, and it all starts to work again.
>
> My question is, why is this happening? Any ideas?
On what distro/krb5 libs version ?
We fixed a bug where krb5 was badly using the timestamp in the cache and
thus sometimes failing to properly set the clock skew in the request.
You may be falling for the same bug (normally you'd see this with
krb5-auth-dialog when it tried to renew tickets).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list