[Bug 2029489] [NEW] Kerberos credential cache missing service principal after installing adsys

Sam Hartman 2029489 at bugs.launchpad.net
Thu Aug 3 16:38:17 UTC 2023


I think you'll find that the missing service principal is a symptom not
a cause.
In particular, if you run klist after kinit but before the ldapsearch,
you'll find that  the service principal is created by the ldapsearch
call (when it works).

You're going to need better debugging out of the spnego mechanism you
are using to figure out what's going wrong.

--Sam

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/2029489

Title:
  Kerberos credential cache missing service principal after installing
  adsys

Status in krb5 package in Ubuntu:
  Confirmed

Bug description:
  After installing adsys, login using a domain user fails. This seems to
  be related to the credential cache missing a service principal for
  specific domains, as demonstrated by testing below:

  
  ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_1930801111_oaZ7UR --debug-stdout --debuglevel 20

  startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
  Starting GENSEC mechanism spnego
  Starting GENSEC submechanism gssapi_krb5
  cli_credentials(WORKGROUP\root) without realm, cannot use kerberos for this connection ldap/ec2amaz-hg2r0q8.fabio-rg.com
  Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
  gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
  gensec_update_send: spnego[0x55847edb93d0]: subreq: 0x55847edb9910
  gensec_update_done: spnego[0x55847edb93d0]: NT_STATUS_INVALID_PARAMETER tevent_req[0x55847edb9910/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)]  state[struct gensec_spnego_update_state (0x55847edb9ad0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947]
  Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
  Failed to connect to 'ldap://ec2amaz-hg2r0q8.fabio-rg.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
  Failed to connect to ldap://ec2amaz-hg2r0q8.fabio-rg.com - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

  Using a fresh kinit works:

  ubuntu at ip-172-31-11-163:/tmp$ sudo kinit fabiomirmar at FABIO-RG.COM
  Password for fabiomirmar at FABIO-RG.COM: 

  ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-
  hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_0 --debug-stdout
  --debuglevel 20

  
  Comparing the credential caches:

  ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_0
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: fabiomirmar at FABIO-RG.COM

  Valid starting     Expires            Service principal
  07/26/23 13:28:03  07/26/23 23:28:03  krbtgt/FABIO-RG.COM at FABIO-RG.COM
  	renew until 07/27/23 13:28:01
  07/26/23 13:28:41  07/26/23 23:28:03  ldap/ec2amaz-hg2r0q8.fabio-rg.com at FABIO-RG.COM
  	renew until 07/27/23 13:28:01

  ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_1930801111_oaZ7UR
  Ticket cache: FILE:/tmp/krb5cc_1930801111_oaZ7UR
  Default principal: fabiomirmar at FABIO-RG.COM

  Valid starting     Expires            Service principal
  07/26/23 13:16:48  07/26/23 23:16:48  krbtgt/FABIO-RG.COM at FABIO-RG.COM
  	renew until 07/27/23 13:16:48

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2029489/+subscriptions




More information about the foundations-bugs mailing list