[Freeipa-users] IPA privileges question

Guy Matz gmatz at collective.com
Mon Jun 3 15:50:53 UTC 2013 

Thanks.  Yes, I have realized the error of my ways . . .  seems I have
just needed the user to have "Host Administration" privileges.
 
Thanks again,
Guy

On 06/03/2013 09:16 AM, Simo Sorce wrote:
> On Fri, 2013-05-31 at 18:45 +0000, Guy Matz wrote:
>> Sorry, should have mentioned that.  I had host principal and have since
>> added ldap:
>> # klist -k krb5.keytab
>> Keytab name: FILE:krb5.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>    3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>    3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>
>> I now get this error:
>> Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
>> gss_accept_sec_context Invalid credentials
>>
>> with this in my krb5.log:
>> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
>> etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
>> DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
>> krbtgt/COLLMEDIA.NET at COLLMEDIA.NET, Additional pre-authentication required
>> May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
>> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
>> {rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
>> krbtgt/COLLMEDIA.NET at COLLMEDIA.NET
>> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
>> etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
>> {rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia.net at COLLMEDIA.NET for
>> ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
>> May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
>> CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET
>>
>> Do I need to add DNS too?
> No, and you shouldn;t have added ldap/fqdn either as you are not hosting
> an LDAP server.
>
> Just FYI: there is no error in the snippet above, the 'NEEDED_PREAUTH'
> message is normal and does not imply there is any error in the system.
>
> Simo.
>

More information about the Freeipa-users mailing list