[Freeipa-users] Kerberos delegation error on replica
Rob Crittenden
rcritten at redhat.com
Fri Apr 26 13:49:59 UTC 2013
Johan Sunnerstig wrote:
> Hi.
>
> I have two IPA servers in a multi master setup, running IPA 3.0.
> They've been working fine for the last ~16 months and started life as 2.2 servers.
> Recently the follow error started showing up, I'm not sure when exactly since I only discovered it when I was checking the status of an account the other day.
>
> ipa1: ~> ipa user-status user
> -----------------------
> Account disabled: False
> -----------------------
> Server: ipa1.domain.tld
> Failed logins: 0
> Last successful authentication: 2013-04-26T11:20:06Z
> Last failed authentication: 2013-04-26T08:44:08Z
> Time now: 2013-04-26T11:20:06Z
>
> Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)
> ----------------------------
> Number of entries returned 2
> ----------------------------
>
> The same exact thing happens on the other replica.
>
> Everything else works as far as I can tell, replication is fine and either one will issue TGT's and so forth. Basically aside from the above I can't find anything wrong.
> The following shows up in the krb5kdc.log on the both the servers:
> Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain.tld at DOMAIN.TLD for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory
> Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain.tld at DOMAIN.TLD for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory
>
One of the servers must be missing from the s4u2proxy delegation list.
Are all the servers in here?
# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
and
# ldapsearch -x -b
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
I'm guessing that it is missing one or more memberPrincipal.
The format is be memberPrincipal: service/$FQDN@$REALM
rob
More information about the Freeipa-users
mailing list