[Freeipa-users] Kerberos delegation error on replica
Johan Sunnerstig
jsunn at nets.eu
Mon Apr 29 10:16:46 UTC 2013
That was exactly it. Server 2 had a HTTP principal but no ldap principal.
I added a principal for ldap as well and it's working fine now.
Thanks a bunch. :)
Regards
Johan
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: den 26 april 2013 15:50
> To: Johan Sunnerstig; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Kerberos delegation error on replica
>
> Johan Sunnerstig wrote:
> > Hi.
> >
> > I have two IPA servers in a multi master setup, running IPA 3.0.
> > They've been working fine for the last ~16 months and started life as 2.2
> servers.
> > Recently the follow error started showing up, I'm not sure when exactly
> since I only discovered it when I was checking the status of an account the
> other day.
> >
> > ipa1: ~> ipa user-status user
> > -----------------------
> > Account disabled: False
> > -----------------------
> > Server: ipa1.domain.tld
> > Failed logins: 0
> > Last successful authentication: 2013-04-26T11:20:06Z
> > Last failed authentication: 2013-04-26T08:44:08Z
> > Time now: 2013-04-26T11:20:06Z
> >
> > Server: ipa2.domain.tld failed: Insufficient access: SASL(-1):
> > generic failure: GSSAPI Error: Unspecified GSS failure. Minor code
> > may provide more information (KDC returned error string:
> > NOT_ALLOWED_TO_DELEGATE)
> > ----------------------------
> > Number of entries returned 2
> > ----------------------------
> >
> > The same exact thing happens on the other replica.
> >
> > Everything else works as far as I can tell, replication is fine and either one
> will issue TGT's and so forth. Basically aside from the above I can't find
> anything wrong.
> > The following shows up in the krb5kdc.log on the both the servers:
> > Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4
> > etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,
> > HTTP/ipa1.domain.tld at DOMAIN.TLD for
> ldap/ipa2.domain.tld at DOMAIN.TLD,
> > No such file or directory Apr 26 13:37:09 ipa1.domain.tld
> > krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x:
> > NOT_ALLOWED_TO_DELEGATE: authtime 0,
> HTTP/ipa1.domain.tld at DOMAIN.TLD
> > for ldap/ipa2.domain.tld at DOMAIN.TLD, No such file or directory
> >
>
> One of the servers must be missing from the s4u2proxy delegation list.
>
> Are all the servers in here?
>
> # ldapsearch -x -b
> cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
>
> and
>
> # ldapsearch -x -b
> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
>
> I'm guessing that it is missing one or more memberPrincipal.
>
> The format is be memberPrincipal: service/$FQDN@$REALM
>
> rob
More information about the Freeipa-users
mailing list