Hi guys! Good news.
On 15 Feb 2021, at 20:11, Rob Crittenden
<rcritten@redhat.com<mailto:rcritten@redhat.com>> wrote:
Vinícius Ferrão via FreeIPA-users wrote:
Hi Robbie.
On 15 Feb 2021, at 18:45, Robbie Harwood
<rharwood@redhat.com<mailto:rharwood@redhat.com>> wrote:
Vinícius Ferrão writes:
[10/Feb/2021:23:05:57.501853962 -0300] conn=92 op=1 RESULT err=49 tag=97 nentries=0
etime=0.001927716 - SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Cannot create replay cache file
/var/tmp/ldap_389: Operation not permitted)
Well, this looks suspicious. Any idea why it can't create that?
SELinux maybe?
I was suspecting of SELinux too, so I’ve issued setenforce 0 to check of it will work but
no success either.
What is the mode of /var/tmp?
:)
You figured out.
For reason that I don’t know yet - you’ll try to discover why this happened - /var/tmp was
with UID and GID permissions for a random user:
[root@neumann2 ~]# ls -l /var | grep tmp
drwxrwxrwt. 7 depaula depaula 4096 Feb 15 21:21 tmp
Since sticky bit is enabled we got some bizarre things like this:
[root@neumann2 ~]# ls -l /var/tmp/
total 12
-rw-------. 1 root root 6 Feb 6 11:21 host_0
-rw-------. 1 root root 6 Feb 9 19:42 kadmin_0
-rw-------. 1 depaula depaula 2738 Feb 2 08:36 ldap_389
So yeah. February 2nd matches with the start of the issue.
I’ve immediately stopped IPA, removed the files, fixed the permissions, reverted back my
/etc/named.conf hack and IPA started without any apparent issue.
I was able to properly issue commands after kinit’ing as admin.
Guys, thank you so much. It’s really good to have help from smart guys. Thanks!!!
Best regards,
Vinicius
PS: Just to confirm:
[root@neumann2 ~]# ipa user-find | head
----------------
74 users matched
----------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@CLUSTER.CETENE.GOV.BR<mailto:admin@CLUSTER.CETENE.GOV.BR>
UID: 917400000
GID: 917400000
rob