FreeIPA: command-line tools do not work, 'No Kerberos credentials available'

Alex asked:

We have a working FreeIPA installation, it’s in production since February. Almost everything works as expected but when we try to run command-line FreeIPA-related tools none of them work:

[[email protected] ~]$ kinit admin
Password for [email protected]: 
[[email protected] ~]$ klist
Ticket cache: KEYRING:persistent:8800000
Default principal: [email protected]

Valid starting       Expires              Service principal
06/30/2014 21:19:30  07/01/2014 21:19:12  krbtgt/[email protected]
[[email protected] ~]$ ipa pwpolicy-show global_policy
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243)
[[email protected] ~]$

I’m not a Kerberos expert and don’t really know what to check. How can we debug and resolve this?

Update: when I add -vv I get the following:

[[email protected] ~]$ ipa -vv pwpolicy-show global_policy
ipa: INFO: trying https://ipa.example.com/ipa/xml
ipa: INFO: Forwarding 'pwpolicy_show' to server 'https://ipa.example.com/ipa/xml'
ipa: ERROR: Kerberos error: ('Unspecified GSS failure.  Minor code may provide more information', 851968)/('No Kerberos credentials available', -1765328243)
[[email protected] ~]$

Update 2: the content of /etc/krb5.conf follows:

includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 EXAMPLE.COM = {
  kdc = ipa.example.com:88
  master_kdc = ipa.example.com:88
  admin_server = ipa.example.com:749
  default_domain = example.com
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

[dbmodules]
  EXAMPLE.COM = {
    db_library = ipadb.so
  }

Update 3: This is a single-server installation, the distro is Fedora 19 and FreeIPA version is 3.3.5

My answer:


The main difference I see in your configuration compared to my live FreeIPA (on Fedora 20) is that I do not use the kernel keyring as a ticket cache.

 default_ccache_name = KEYRING:persistent:%{uid}

My /etc/krb5.conf does not specify this at all, so the default FILE is used. Removing this should get you going again.

As Matthew Ife indicates in a comment, the kernel keyring is more secure and will (eventually) be the way to go, but at the moment it doesn’t appear to be stable enough for production use. You may wish to report this to Fedora as a bug.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.