[Freeipa-users] IPA privileges question

[Guy Matz]

Sorry, should have mentioned that.  I had host principal and have since
added ldap:
# klist -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
   3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
   3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
   3 host/ipadevmstr.collmedia.net at COLLMEDIA.NET
   3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
   3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
   3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
   3 ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET

I now get this error:
Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context Invalid credentials

with this in my krb5.log:
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
krbtgt/COLLMEDIA.NET at COLLMEDIA.NET, Additional pre-authentication required
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
{rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET for
krbtgt/COLLMEDIA.NET at COLLMEDIA.NET
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
{rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia.net at COLLMEDIA.NET for
ldap/ipadevmstr.collmedia.net at COLLMEDIA.NET
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia.net at COLLMEDIA.NET

Do I need to add DNS too?

Thanks a lot,
Guy

On 05/31/2013 12:48 PM, Rob Crittenden wrote:
> Guy Matz wrote:
>> Hi!  I'm writing a web UI to front-end a "ipa host-add" . . .  the web
>> ui runs as a special user who I would like to give credentials to allow
>> it to be able to run the ipa commands necessary . . .  I thought I would
>> need to give it a host privilege, but I'm bumping up into the following:
>>
>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>> 'userPassword' attribute
>>
>> That looks like more of an LDAP issue . . .  Any yous guys know how I
>> get around this?
> What privileges did you assign to the role that this user is a member of?
>
> rob
>
>