hi would you know if normal is below from ipa * commands, before kinit is done?: ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638943): Decrypt integrity check failed I remember before, tools would silently execute if a ticket was not there, but do not recall errors like above.

On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: >On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: >>hi >> >>would you know if normal is below from ipa * commands, before >>kinit is done?: >> >>ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code >>may provide more information, Minor (2529638943): Decrypt >>integrity check failed >> >>I remember before, tools would silently execute if a ticket was >>not there, but do not recall errors like above. >This is basically a Kerberos way to say 'your password is not the >same >as KDC thinks it is'. Somebody did run ipa-getkeytab on the entry? > > Could it be due to failure of auth-rpcgss-module.service to start? In LXC without a small tweak auth-rpcgss-module.service fails.

On 10/01/18 13:53, Alexander Bokovoy wrote: >On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: >> >> >>On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: >>>On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: >>>>hi >>>> >>>>would you know if normal is below from ipa * commands, before >>>>kinit is done?: >>>> >>>>ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor >>>>code may provide more information, Minor (2529638943): Decrypt >>>>integrity check failed >>>> >>>>I remember before, tools would silently execute if a ticket >>>>was not there, but do not recall errors like above. >>>This is basically a Kerberos way to say 'your password is not >>>the same >>>as KDC thinks it is'. Somebody did run ipa-getkeytab on the >>>entry? >>> >>> >>Could it be due to failure of auth-rpcgss-module.service to start? >>In LXC without a small tweak auth-rpcgss-module.service fails. >I don't think so. Can you give more logs and context to understand >where >this comes from? Nope, like you thought, I also see it on a newly installed 4.5.0. on a bare metal. I'm on Centos 7.4 Gee.. not much context, like a say, new IPA and when I execute ipa commands I see that error. $ ipa topologysegment-find ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638943): Decrypt integrity check failed And on that new installations, lifetime of a ticket feels weirdly short. I do kinit two 2 minutes later (I do nothing, no other human is, on the system) I get the same error again. This is all locally via ssh on the server. Feel free to tell me what info, logs to get you.

On 10/01/18 15:14, Alexander Bokovoy wrote: >On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: >> >> >>On 10/01/18 13:53, Alexander Bokovoy wrote: >>>On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: >>>> >>>> >>>>On 10/01/18 12:42, Alexander Bokovoy via FreeIPA-users wrote: >>>>>On ke, 10 tammi 2018, lejeczek via FreeIPA-users wrote: >>>>>>hi >>>>>> >>>>>>would you know if normal is below from ipa * commands, >>>>>>before kinit is done?: >>>>>> >>>>>>ipa: ERROR: Major (851968): Unspecified GSS failure. Minor >>>>>>code may provide more information, Minor (2529638943): >>>>>>Decrypt integrity check failed >>>>>> >>>>>>I remember before, tools would silently execute if a >>>>>>ticket was not there, but do not recall errors like above. >>>>>This is basically a Kerberos way to say 'your password is >>>>>not the same >>>>>as KDC thinks it is'. Somebody did run ipa-getkeytab on the >>>>>entry? >>>>> >>>>> >>>>Could it be due to failure of auth-rpcgss-module.service to >>>>start? >>>>In LXC without a small tweak auth-rpcgss-module.service fails. >>>I don't think so. Can you give more logs and context to >>>understand where >>>this comes from? >> >>Nope, like you thought, I also see it on a newly installed 4.5.0. >>on a bare metal. I'm on Centos 7.4 >>Gee.. not much context, like a say, new IPA and when I execute ipa >>commands I see that error. >> >>$ ipa topologysegment-find >>ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code >>may provide more information, Minor (2529638943): Decrypt >>integrity check failed >> >>And on that new installations, lifetime of a ticket feels weirdly >>short. I do kinit two 2 minutes later (I do nothing, no other >>human is, on the system) I get the same error again. This is all >>locally via ssh on the server. >>Feel free to tell me what info, logs to get you. >So, let's start with me understanding your workflow: >1. You ssh into a host >2. You run 'ipa ...' commands > >Right? > >Could you show 'klist' after ssh into the host? >If there is no ticket, you need to obtain one, so kinit is due >before >you'd run any 'ipa' command. > >Can you provide output of: > > klist > ipa user-show $user > klist > Right, ssh to ipa server. I wonder if all this has something to do directly with the fact that I also have IPAs in LXC(specifically two) containers on the same IPA host/server. When I now have turned LXC down I see still that ticket exits. I'll now try start LXCx again.... in LXC(with network thus also via ssh) I do the same: just ssh in and: # ipa host-find ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638943): Decrypt integrity check failed on the HOST ticket is still okey, I do in LXC [root@lxc-ipa1-swir ~]# kinit admin and back on the HOST: $ ipa host-find ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638943): Decrypt integrity check failed Is this just a coincidence? Is something here breaks out of lxc container? That might be very interesting for devel to investigate, as much as might be puzzling, well, is to me. Should be easy to reproduce, right? ..back on the HOST: $ kinit admin and in lxc: # ipa host-find ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638943): Decrypt integrity check failed