Hi
Environment: RHEL 7.5, ipa-server-4.5.4-10.el7.x86_64
Part of our IPA backup strategy is to take ascii dumps of various tables every night using commands like 'ipa user-find --all --preserved=false' with output redirected to a file.
We run a cron job which first gets a keytab for an ipa user and then runs several ipa commands to dump the tables.
Every so often we are seeing (apparently at random) failures of one of the ipa commands early on in the script (usually the first or the second one). The rest of the commands then succeed.
I'm appending some debug output from the script at the end of this message.
In the httpd access_log on the server at the relevant time there is:
[Wed Jun 13 21:30:04.437056 2018] [:error] [pid 29635] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: The referenced context has expired (Success)
This used to work reliably until the update to RHEL7.4.
I'd appreciate any thoughts on what might be causing this or where to look for further diagnostics.
Thanks.
Roderick Johnstone
Here is the debug output:
Attempting kinit Status is 0 Attempting non-preserved user dump: ** First try Status is 0 Attempting non-preserved user dump: ** Second try ipa: ERROR: ResponseNotReady: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1359, in run sys.exit(api.Backend.cli.run(argv)) File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1109, in run self.create_context() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 127, in create_context self.Backend.rpcclient.connect() File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect conn = self.create_connection(*args, **kw) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1034, in create_connection command([], {}) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1246, in _call return self.__request(name, args) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1213, in __request verbose=self.__verbose >= 3, File "/usr/lib64/python2.7/xmlrpclib.py", line 1273, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 687, in single_request response = h.getresponse(buffering=True) File "/usr/lib64/python2.7/httplib.py", line 1101, in getresponse raise ResponseNotReady() ResponseNotReady ipa: ERROR: an internal error has occurred Status is 1 Attempting preserved user dump Status is 0 Attempting group dump Status is 0 ...
Roderick Johnstone via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
[Wed Jun 13 21:30:04.437056 2018] [:error] [pid 29635] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: The referenced context has expired (Success)
This depends slightly on what SASL was trying to do at the time, but basically, each GSSAPI context has a time for which it is valid. This is tied to credential lifetime (akin to ticket lifetime in Kerberos).
It's specific to the application's credentials, which means it's a problem on the server. I can't really speak to why the server is keeping contexts around too long, though.
Thanks, --Robbie
freeipa-users@lists.fedorahosted.org