[Freeipa-users] GSSAPI Failure

[Dmitri Pal]

Konstantin,

Would it be a fair assumption to say that kinit and direct 
authentication works fine but  GSSAPI based kerberos  auth does not?
Is it happening on one machine or all machines?

I have seen in other product a similar situation  and the cause of the 
problem was missing or outdated packages for  SASL methods.
Can it be the case?

Thanks
Dmitri

Konstantin Kozlov wrote:
> Hello,
>
> So ran out of ideas for where to look for errors. I've got the GSSAPI 
> error with ipa tools and ldap tools.
>
> [root at ipaserver ~]# ipa-finduser admin
> Connection to database failed: Invalid credentials: SASL(-13): 
> authentication failure: GSSAPI Failure: gss_accept_sec_context
>
> But the ipauser can login to ipaserver and ipaclient and get his home 
> dir automounted.
>
> Is it a dead end?
>
> Are there any methods to add users/groups to ldap and kerberos 
> consistently without ipa tools?
>
> Best regards,
>
> Kostya
>
> Kozlov wrote:
>> Simo Sorce пишет:
>>> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote:
>>>> I suspect that the system was unhappy with rc4-hmac in 
>>>> ipa-getkeytab command as it is not listed in supported enctypes. Is 
>>>> it possible?
>>>
>>> Does not seem likely.
>>> Do you have problems only on the Windows box? Or on any client 
>>> including
>>> the IPA server ?
>>>
>>> Simo.
>>>
>>
>> WinXP never worked for me yet. I've got GSSAPI error on ipaserver - 
>> Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools 
>> unusable but surprisingly logging in with ipauser and automounting 
>> the home dir still work on ipaserver. I've failed to configure 
>> automounter on ipaclient.
>>
>> I've tried to change the 127.0.0.1 in krb5.conf to 
>> ipaserver.example.com but it didn't help.
>>
>> Kostya
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>