[Freeipa-users] GSSAPI Failure
Konstantin Kozlov
kozlov at spbcas.ru
Thu Nov 13 07:25:38 UTC 2008
Simo Sorce wrote:
> On Wed, 2008-11-12 at 11:15 +0300, Konstantin Kozlov wrote:
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13):
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>
>> But the ipauser can login to ipaserver and ipaclient and get his home
>> dir automounted.
>>
>> Is it a dead end?
>
> Have you turned off ticket forwarding in krb5.conf ?
>
I did not from the beginning but when I did and restarted krb5kdc and
dirsrv nothing changed. My krb5.conf contains forwardable = no in two
places - libdefaults and appdefaults. Is that correct?
Dmitri Pal wrote:
> Konstantin Kozlov wrote:
>> Hello,
>>
>> Rob Crittenden wrote:
>> > Konstantin Kozlov wrote:
>> >> Hello,
>> >>
>> >> So ran out of ideas for where to look for errors. I've got the GSSAPI
>> >> error with ipa tools and ldap tools.
>> >>
>> >> [root at ipaserver ~]# ipa-finduser admin
>> >> Connection to database failed: Invalid credentials: SASL(-13):
>> >> authentication failure: GSSAPI Failure: gss_accept_sec_context
>> >>
>> >> But the ipauser can login to ipaserver and ipaclient and get his home
>> >> dir automounted.
>> >>
>> >> Is it a dead end?
>> >
>> > Ok, this error indicates that the kerberos auth to the XML-RPC server
>> > worked but that it can't make a GSSAPI connection to the LDAP server.
>> >
>> > You can test this directly with:
>> >
>> > % ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>> >
>> >>
>>
>> This fails.
>>
>
> If this fails you should see a reason in the IPA server DS's access log.
> This might give a hint.
>
>
ldapsearch doesn't produce entries in access log. ipa-finduser does:
[root at ipaserver ~]# ipa-finduser admin
Connection to database failed: Invalid credentials: SASL(-13):
authentication failure: GSSAPI Failure: gss_accept_sec_context
access log:
[13/Nov/2008:10:17:51 +0300] conn=4 op=26 RESULT err=0 tag=101
nentries=1 etime=0
[13/Nov/2008:10:17:51 +0300] conn=6 op=0 BIND dn="" method=sasl
version=3 mech=GSSAPI
[13/Nov/2008:10:17:51 +0300] conn=6 op=0 RESULT err=49 tag=97 nentries=0
etime=0
Best regards,
Kostya
More information about the Freeipa-users
mailing list