gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638972): KDC returned error string: FINDING_SERVER_KEY
Environment
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 8
- IPA server
Issue
When run any IPA command on IPA server show the following error:
ipa: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@IDM.EXAMPLE.COM'
ipa: DEBUG: trying https://ipaserver.idm.example.com/ipa/json
ipa: DEBUG: New HTTP connection (ipaserver.idm.example.com)
ipa: DEBUG: HTTP connection destroyed (ipaserver.idm.example.com)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaclient/remote_plugins/__init__.py", line 120, in get_package
plugins = api._remote_plugins
AttributeError: 'API' object has no attribute '_remote_plugins'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 644, in get_auth_info
response = self._sec_context.step()
File "<decorator-gen-15>", line 2, in step
File "/usr/lib64/python3.6/site-packages/gssapi/_utils.py", line 167, in check_last_err
return func(self, *args, **kwargs)
File "<decorator-gen-5>", line 2, in step
File "/usr/lib64/python3.6/site-packages/gssapi/_utils.py", line 127, in catch_and_return_token
return func(self, *args, **kwargs)
File "/usr/lib64/python3.6/site-packages/gssapi/sec_contexts.py", line 521, in step
return self._initiator_step(token=token)
File "/usr/lib64/python3.6/site-packages/gssapi/sec_contexts.py", line 542, in _initiator_step
token)
File "gssapi/raw/sec_contexts.pyx", line 244, in gssapi.raw.sec_contexts.init_sec_context
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638972): KDC returned error string: FINDING_SERVER_KEY
Resolution
- On the broken system, generate a new keytab (and key).
Note! ipaserver-2 is a working replica, and ipaserver-1 is the broken one.
# ipa-getkeytab -s ipaserver-2.idm.example.com -p HTTP/ipaserver-1.idm.example.com -k /var/lib/ipa/gssproxy/http.keytab -D 'cn=Directory Manager' -W
- And on ipaserver-2, valid the key generation with
# kadmin.local getprinc HTTP/ipaserver-1.idm.example.com | grep -i key
- Wait for a while for replication to complete, on ipaserver-1, check the key existence with:
kadmin.local getprinc HTTP/ipaserver-1.idm.example.com | grep -i key
- Then, validate the key with:
# KRB5_TRACE=/dev/stderr kinit -kt /var/lib/ipa/gssproxy/http.keytab HTTP/ipaserver-1.idm.example.com@IDM.EXAMPLE.COM'
Root Cause
The keytab (Kerberos key file) for the HTTP service on the server ipaserver-1.idm.example.com is missing or corrupted.
Diagnostic Steps
- Check whether it have corresponding key for HTTP/ipaserver-1.idm.example.com.
# kadmin.local getprinc HTTP/ipaserver-1.idm.example.com | grep -i key
Number of keys: 0 <-----
MKey: vno 1
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments