[Freeipa-users] GSSAPI Failure
Konstantin Kozlov
kozlov at spbcas.ru
Wed Nov 12 15:04:21 UTC 2008
Hello,
Rob Crittenden wrote:
> Konstantin Kozlov wrote:
>> Hello,
>>
>> So ran out of ideas for where to look for errors. I've got the GSSAPI
>> error with ipa tools and ldap tools.
>>
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13):
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>
>> But the ipauser can login to ipaserver and ipaclient and get his home
>> dir automounted.
>>
>> Is it a dead end?
>
> Ok, this error indicates that the kerberos auth to the XML-RPC server
> worked but that it can't make a GSSAPI connection to the LDAP server.
>
> You can test this directly with:
>
> % ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>
>>
This fails.
Dmitri Pal wrote:
> Konstantin,
>
> Would it be a fair assumption to say that kinit and direct
> authentication works fine but GSSAPI based kerberos auth does not?
Yes, that is correct.
> Is it happening on one machine or all machines?
>
All two - ipaserver and ipaclient.
> I have seen in other product a similar situation and the cause of the
> problem was missing or outdated packages for SASL methods.
> Can it be the case?
>
No. All packages are the latest version on ipaserver Fedora 9.
Thanks,
Kostya
> Thanks
> Dmitri
>
> Konstantin Kozlov wrote:
>> Hello,
>>
>> So ran out of ideas for where to look for errors. I've got the GSSAPI
>> error with ipa tools and ldap tools.
>>
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13):
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>
>> But the ipauser can login to ipaserver and ipaclient and get his home
>> dir automounted.
>>
>> Is it a dead end?
>>
>> Are there any methods to add users/groups to ldap and kerberos
>> consistently without ipa tools?
>>
>> Best regards,
>>
>> Kostya
>>
>> Kozlov wrote:
>>> Simo Sorce пишет:
>>>> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote:
>>>>> I suspect that the system was unhappy with rc4-hmac in
>>>>> ipa-getkeytab command as it is not listed in supported enctypes. Is
>>>>> it possible?
>>>>
>>>> Does not seem likely.
>>>> Do you have problems only on the Windows box? Or on any client
>>>> including
>>>> the IPA server ?
>>>>
>>>> Simo.
>>>>
>>>
>>> WinXP never worked for me yet. I've got GSSAPI error on ipaserver -
>>> Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools
>>> unusable but surprisingly logging in with ipauser and automounting
>>> the home dir still work on ipaserver. I've failed to configure
>>> automounter on ipaclient.
>>>
>>> I've tried to change the 127.0.0.1 in krb5.conf to
>>> ipaserver.example.com but it didn't help.
>>>
>>> Kostya
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>
>
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
More information about the Freeipa-users
mailing list