Ubuntu
krb5 package

Kerberos credential cache missing service principal after installing adsys

Bug #2029489 reported by Heitor Alves de Siqueira
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Confirmed
Medium
Heitor Alves de Siqueira

Bug Description

After installing adsys, login using a domain user fails. This seems to be related to the credential cache missing a service principal for specific domains, as demonstrated by testing below:

ubuntu@ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_1930801111_oaZ7UR --debug-stdout --debuglevel 20

startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
cli_credentials(WORKGROUP\root) without realm, cannot use kerberos for this connection ldap/ec2amaz-hg2r0q8.fabio-rg.com
Failed to start GENSEC client mech gssapi_krb5: NT_STATUS_INVALID_PARAMETER
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
gensec_update_send: spnego[0x55847edb93d0]: subreq: 0x55847edb9910
gensec_update_done: spnego[0x55847edb93d0]: NT_STATUS_INVALID_PARAMETER tevent_req[0x55847edb9910/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x55847edb9ad0)] timer[(nil)] finish[../../auth/gensec/spnego.c:1947]
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://ec2amaz-hg2r0q8.fabio-rg.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to ldap://ec2amaz-hg2r0q8.fabio-rg.com - LDAP client internal error: NT_STATUS_INVALID_PARAMETER

Using a fresh kinit works:

ubuntu@ip-172-31-11-163:/tmp$ sudo kinit <email address hidden>
Password for <email address hidden>:

ubuntu@ip-172-31-11-163:/tmp$ sudo ldbsearch -H ldap://ec2amaz-hg2r0q8.fabio-rg.com --use-krb5-ccache=/tmp/krb5cc_0 --debug-stdout --debuglevel 20

Comparing the credential caches:

ubuntu@ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_0
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>

Valid starting Expires Service principal
07/26/23 13:28:03 07/26/23 23:28:03 <email address hidden>
 renew until 07/27/23 13:28:01
07/26/23 13:28:41 07/26/23 23:28:03 <email address hidden>
 renew until 07/27/23 13:28:01

ubuntu@ip-172-31-11-163:/tmp$ sudo klist /tmp/krb5cc_1930801111_oaZ7UR
Ticket cache: FILE:/tmp/krb5cc_1930801111_oaZ7UR
Default principal: <email address hidden>

Valid starting Expires Service principal
07/26/23 13:16:48 07/26/23 23:16:48 <email address hidden>
 renew until 07/27/23 13:16:48

Revision history for this message
Sam Hartman (hartmans) wrote : Re: [Bug 2029489] [NEW] Kerberos credential cache missing service principal after installing adsys

I think you'll find that the missing service principal is a symptom not
a cause.
In particular, if you run klist after kinit but before the ldapsearch,
you'll find that the service principal is created by the ldapsearch
call (when it works).

You're going to need better debugging out of the spnego mechanism you
are using to figure out what's going wrong.

--Sam

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.