[Bug 2029489] [NEW] Kerberos credential cache missing service principal after installing adsys
Sam Hartman
2029489 at bugs.launchpad.net
Thu Aug 3 16:38:17 UTC 2023
I think you'll find that the missing service principal is a symptom not
a cause.
In particular, if you run klist after kinit but before the ldapsearch,
you'll find that the service principal is created by the ldapsearch
call (when it works).
You're going to need better debugging out of the spnego mechanism you
are using to figure out what's going wrong.
--Sam
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/2029489
Title:
Kerberos credential cache missing service principal after installing
adsys
Status in krb5 package in Ubuntu:
Confirmed
Bug description:
After installing adsys, login using a domain user fails. This seems to
be related to the credential cache missing a service principal for
specific domains, as demonstrated by testing below:
ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_1930801111_oaZ7UR --debug-stdout --debuglevel 20
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials(WORKGROUP\root) without realm, cannot use kerberos for this connection ldap/ec2amaz-hg2r0q8.fabio-rg.com
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
gensec_update_send: spnego[0x55847edb93d0]: subreq: 0x55847edb9910
gensec_update_done: spnego[0x55847edb93d0]: NT_STATUS_INVALID_PARAMETER tevent_req[0x55847edb9910/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x55847edb9ad0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947]
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://ec2amaz-hg2r0q8.fabio-rg.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://ec2amaz-hg2r0q8.fabio-rg.com - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Using a fresh kinit works:
ubuntu at ip-172-31-11-163:/tmp$ sudo kinit fabiomirmar at FABIO-RG.COM
Password for fabiomirmar at FABIO-RG.COM:
ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-
hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_0 --debug-stdout
--debuglevel 20
Comparing the credential caches:
ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_0
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fabiomirmar at FABIO-RG.COM
Valid starting Expires Service principal
07/26/23 13:28:03 07/26/23 23:28:03 krbtgt/FABIO-RG.COM at FABIO-RG.COM
renew until 07/27/23 13:28:01
07/26/23 13:28:41 07/26/23 23:28:03 ldap/ec2amaz-hg2r0q8.fabio-rg.com at FABIO-RG.COM
renew until 07/27/23 13:28:01
ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_1930801111_oaZ7UR
Ticket cache: FILE:/tmp/krb5cc_1930801111_oaZ7UR
Default principal: fabiomirmar at FABIO-RG.COM
Valid starting Expires Service principal
07/26/23 13:16:48 07/26/23 23:16:48 krbtgt/FABIO-RG.COM at FABIO-RG.COM
renew until 07/27/23 13:16:48
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2029489/+subscriptions
More information about the foundations-bugs
mailing list