[Freeipa-users] GSSAPI Failure
Rob Crittenden
rcritten at redhat.com
Wed Nov 12 14:55:41 UTC 2008
Konstantin Kozlov wrote:
> Hello,
>
> So ran out of ideas for where to look for errors. I've got the GSSAPI
> error with ipa tools and ldap tools.
>
> [root at ipaserver ~]# ipa-finduser admin
> Connection to database failed: Invalid credentials: SASL(-13):
> authentication failure: GSSAPI Failure: gss_accept_sec_context
>
> But the ipauser can login to ipaserver and ipaclient and get his home
> dir automounted.
>
> Is it a dead end?
Ok, this error indicates that the kerberos auth to the XML-RPC server
worked but that it can't make a GSSAPI connection to the LDAP server.
You can test this directly with:
% ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>
> Are there any methods to add users/groups to ldap and kerberos
> consistently without ipa tools?
>
> Best regards,
>
> Kostya
>
> Kozlov wrote:
>> Simo Sorce пишет:
>>> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote:
>>>> I suspect that the system was unhappy with rc4-hmac in ipa-getkeytab
>>>> command as it is not listed in supported enctypes. Is it possible?
>>>
>>> Does not seem likely.
>>> Do you have problems only on the Windows box? Or on any client including
>>> the IPA server ?
>>>
>>> Simo.
>>>
>>
>> WinXP never worked for me yet. I've got GSSAPI error on ipaserver -
>> Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools unusable
>> but surprisingly logging in with ipauser and automounting the home dir
>> still work on ipaserver. I've failed to configure automounter on
>> ipaclient.
>>
>> I've tried to change the 127.0.0.1 in krb5.conf to
>> ipaserver.example.com but it didn't help.
>>
>> Kostya
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
More information about the Freeipa-users
mailing list