Vinícius Ferrão wrote:
Hi guys! Good news.
> On 15 Feb 2021, at 20:11, Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Vinícius Ferrão via FreeIPA-users wrote:
>> Hi Robbie.
>>
>>> On 15 Feb 2021, at 18:45, Robbie Harwood <rharwood(a)redhat.com
>>> <mailto:rharwood@redhat.com>> wrote:
>>>
>>> Vinícius Ferrão writes:
>>>
>>>> [10/Feb/2021:23:05:57.501853962 -0300] conn=92 op=1 RESULT err=49
>>>> tag=97 nentries=0 etime=0.001927716 - SASL(-1): generic failure:
>>>> GSSAPI Error: Unspecified GSS failure. Minor code may provide more
>>>> information (Cannot create replay cache file /var/tmp/ldap_389:
>>>> Operation not permitted)
>>>
>>> Well, this looks suspicious. Any idea why it can't create that?
>>> SELinux maybe?
>>
>> I was suspecting of SELinux too, so I’ve issued setenforce 0 to check
>> of it will work but no success either.
>
> What is the mode of /var/tmp?
:)
You figured out.
For reason that I don’t know yet - you’ll try to discover why this
happened - /var/tmp was with UID and GID permissions for a random user:
[root@neumann2 ~]# ls -l /var | grep tmp
drwxrwxrwt. 7 depaula depaula 4096 Feb 15 21:21 tmp
Since sticky bit is enabled we got some bizarre things like this:
[root@neumann2 ~]# ls -l /var/tmp/
total 12
-rw-------. 1 root root 6 Feb 6 11:21 host_0
-rw-------. 1 root root 6 Feb 9 19:42 kadmin_0
-rw-------. 1 depaula depaula 2738 Feb 2 08:36 ldap_389
So yeah. February 2nd matches with the start of the issue.
I’ve immediately stopped IPA, removed the files, fixed the permissions,
reverted back my /etc/named.conf hack and IPA started without any
apparent issue.
I was able to properly issue commands after kinit’ing as admin.
Guys, thank you so much. It’s really good to have help from smart guys.
Awesome, great news. Glad you got it working and thanks for closing the
loop.
rob
Thanks!!!
Best regards,
Vinicius
PS: Just to confirm:
[root@neumann2 ~]# ipa user-find | head
----------------
74 users matched
----------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin(a)CLUSTER.CETENE.GOV.BR
<mailto:admin@CLUSTER.CETENE.GOV.BR>
UID: 917400000
GID: 917400000
>
> rob
>