[Bug 2029489] [NEW] Kerberos credential cache missing service principal after installing adsys
Heitor Alves de Siqueira
2029489 at bugs.launchpad.net
Thu Aug 3 13:52:47 UTC 2023
Public bug reported:
After installing adsys, login using a domain user fails. This seems to
be related to the credential cache missing a service principal for
specific domains, as demonstrated by testing below:
ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_1930801111_oaZ7UR --debug-stdout --debuglevel 20
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials(WORKGROUP\root) without realm, cannot use kerberos for this connection ldap/ec2amaz-hg2r0q8.fabio-rg.com
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
gensec_update_send: spnego[0x55847edb93d0]: subreq: 0x55847edb9910
gensec_update_done: spnego[0x55847edb93d0]: NT_STATUS_INVALID_PARAMETER tevent_req[0x55847edb9910/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x55847edb9ad0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947]
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://ec2amaz-hg2r0q8.fabio-rg.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://ec2amaz-hg2r0q8.fabio-rg.com - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Using a fresh kinit works:
ubuntu at ip-172-31-11-163:/tmp$ sudo kinit fabiomirmar at FABIO-RG.COM
Password for fabiomirmar at FABIO-RG.COM:
ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-
hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_0 --debug-stdout
--debuglevel 20
Comparing the credential caches:
ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_0
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fabiomirmar at FABIO-RG.COM
Valid starting Expires Service principal
07/26/23 13:28:03 07/26/23 23:28:03 krbtgt/FABIO-RG.COM at FABIO-RG.COM
renew until 07/27/23 13:28:01
07/26/23 13:28:41 07/26/23 23:28:03 ldap/ec2amaz-hg2r0q8.fabio-rg.com at FABIO-RG.COM
renew until 07/27/23 13:28:01
ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_1930801111_oaZ7UR
Ticket cache: FILE:/tmp/krb5cc_1930801111_oaZ7UR
Default principal: fabiomirmar at FABIO-RG.COM
Valid starting Expires Service principal
07/26/23 13:16:48 07/26/23 23:16:48 krbtgt/FABIO-RG.COM at FABIO-RG.COM
renew until 07/27/23 13:16:48
** Affects: krb5 (Ubuntu)
Importance: Medium
Assignee: Heitor Alves de Siqueira (halves)
Status: Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/2029489
Title:
Kerberos credential cache missing service principal after installing
adsys
Status in krb5 package in Ubuntu:
Confirmed
Bug description:
After installing adsys, login using a domain user fails. This seems to
be related to the credential cache missing a service principal for
specific domains, as demonstrated by testing below:
ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_1930801111_oaZ7UR --debug-stdout --debuglevel 20
startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials(WORKGROUP\root) without realm, cannot use kerberos for this connection ldap/ec2amaz-hg2r0q8.fabio-rg.com
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
gensec_update_send: spnego[0x55847edb93d0]: subreq: 0x55847edb9910
gensec_update_done: spnego[0x55847edb93d0]: NT_STATUS_INVALID_PARAMETER tevent_req[0x55847edb9910/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x55847edb9ad0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947]
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://ec2amaz-hg2r0q8.fabio-rg.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://ec2amaz-hg2r0q8.fabio-rg.com - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Using a fresh kinit works:
ubuntu at ip-172-31-11-163:/tmp$ sudo kinit fabiomirmar at FABIO-RG.COM
Password for fabiomirmar at FABIO-RG.COM:
ubuntu at ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-
hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_0 --debug-stdout
--debuglevel 20
Comparing the credential caches:
ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_0
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: fabiomirmar at FABIO-RG.COM
Valid starting Expires Service principal
07/26/23 13:28:03 07/26/23 23:28:03 krbtgt/FABIO-RG.COM at FABIO-RG.COM
renew until 07/27/23 13:28:01
07/26/23 13:28:41 07/26/23 23:28:03 ldap/ec2amaz-hg2r0q8.fabio-rg.com at FABIO-RG.COM
renew until 07/27/23 13:28:01
ubuntu at ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_1930801111_oaZ7UR
Ticket cache: FILE:/tmp/krb5cc_1930801111_oaZ7UR
Default principal: fabiomirmar at FABIO-RG.COM
Valid starting Expires Service principal
07/26/23 13:16:48 07/26/23 23:16:48 krbtgt/FABIO-RG.COM at FABIO-RG.COM
renew until 07/27/23 13:16:48
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2029489/+subscriptions
More information about the foundations-bugs
mailing list