[Freeipa-users] GSSAPI Failure
Konstantin Kozlov
kozlov at spbcas.ru
Fri Nov 14 06:04:17 UTC 2008
Hello,
not I am not using EXAMPLE.COM
Is ipa 1.2 usable on fedora or centos?
server krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = BIO.SPBCAS.RU
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
BIO.SPBCAS.RU = {
kdc = hedgehog.bio.spbcas.ru:88
admin_server = hedgehog.bio.spbcas.ru:749
default_domain = bio.spbcas.ru
}
[domain_realm]
.bio.spbcas.ru = BIO.SPBCAS.RU
bio.spbcas.ru = BIO.SPBCAS.RU
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = yes
krb4_convert = false
}
[dbmodules]
BIO.SPBCAS.RU = {
db_library = kldap
ldap_servers = ldap://127.0.0.1/
ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru
ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}
Client krb5.conf:
#File modified by ipa-client-install
[libdefaults]
default_realm = BIO.SPBCAS.RU
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
.bio.spbcas.ru = BIO.SPBCAS.RU
bio.spbcas.ru = BIO.SPBCAS.RU
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
NTP, DNS and DHCP are on another server, they were set up alot earlier
and working.
Does the ldapsearch error indicate that FDS fails and not IPA?
Kostya
Simo Sorce пишет:
> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote:
>> Simo Sorce пишет:
>>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote:
>>>> Unfortunately it doesn't change my situation.
>>>>
>>>> So is it the dead end?
>>> Have you done a kinit again after you changed it ?
>>> What does klist -f show you ?
>>>
>> Hello,
>>
>> Thank you for not giving up Simo!
>>
>> Here is the log:
>>
>> [root at ipaserver ~]# klist -f
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at EXAMPLE.COM
>>
>> Valid starting Expires Service principal
>> 11/13/08 16:54:34 11/14/08 16:54:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> Flags: FIA
>> 11/13/08 16:54:55 11/14/08 16:54:30 HTTP/ipaserver.example.com at EXAMPLE.COM
>> Flags: FAT
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13):
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" uid
>> admin
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>> [root at ipaserver ~]# kdestroy
>> [root at ipaserver ~]# kinit admin
>> Password for admin at EXAMPLE.COM:
>> [root at ipaserver ~]# klist -f
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at EXAMPLE.COM
>>
>> Valid starting Expires Service principal
>> 11/14/08 07:23:02 11/15/08 07:22:58 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> Flags: FIA
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13):
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid admin
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>
>> Can it be a hardware related problem? The machine is rather old - HP
>> NetServer Pentium 3, 500 GHz, 512 MB.
>
> Ok I think I know what it is if you are really using EXAMPLE.COM
> Before freeipa 1.2.0 we were not changing krb5.conf if the relam name
> used was EXAMPLE.COM (ie the default example).
>
> Can you post your server and client krb5.conf files ?
>
> Otherwise you can also try rebuilding your IPA server using a different
> realm name than EXAMPLE.COM
>
> Simo.
>
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
More information about the Freeipa-users
mailing list