[Freeipa-users] IPA privileges question

Simo Sorce simo at redhat.com
Mon Jun 3 13:15:58 UTC 2013 

On Fri, 2013-05-31 at 18:45 +0000, Guy Matz wrote:
> Sorry, should have mentioned that.  I had host principal and have since
> added ldap:
> # klist -k krb5.keytab
> Keytab name: FILE:krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 
> I now get this error:
> Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context Invalid credentials
> 
> with this in my krb5.log:
> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
> etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
> DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
> krbtgt/COLLMEDIA.NET at COLLMEDIA.NET, Additional pre-authentication required
> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
> {rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
> krbtgt/COLLMEDIA.NET at COLLMEDIA.NET
> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
> {rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia.net at COLLMEDIA.NET for
> ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
> CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 
> Do I need to add DNS too?

No, and you shouldn;t have added ldap/fqdn either as you are not hosting
an LDAP server.

Just FYI: there is no error in the snippet above, the 'NEEDED_PREAUTH'
message is normal and does not imply there is any error in the system.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list