[Freeipa-users] IPA privileges question
Simo Sorce
simo at redhat.com
Mon Jun 3 13:15:58 UTC 2013
On Fri, 2013-05-31 at 18:45 +0000, Guy Matz wrote:
> Sorry, should have mentioned that. I had host principal and have since
> added ldap:
> # klist -k krb5.keytab
> Keytab name: FILE:krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
> 3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>
> I now get this error:
> Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context Invalid credentials
>
> with this in my krb5.log:
> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
> etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
> DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
> krbtgt/COLLMEDIA.NET at COLLMEDIA.NET, Additional pre-authentication required
> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
> {rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
> krbtgt/COLLMEDIA.NET at COLLMEDIA.NET
> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
> {rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia.net at COLLMEDIA.NET for
> ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
> CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET
>
> Do I need to add DNS too?
No, and you shouldn;t have added ldap/fqdn either as you are not hosting
an LDAP server.
Just FYI: there is no error in the snippet above, the 'NEEDED_PREAUTH'
message is normal and does not imply there is any error in the system.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list