[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE
Linov Suresh
linov.suresh at gmail.com
Fri Aug 5 14:52:43 UTC 2016
We have FreeIPA 3.0.0 running on CentOS 6.4 and master-ipa01 (configured
with --setup-ca option) and replica- ipa02 (configured without --setup-ca)
option.
We use a script ipa clients to the server, when we tried to add new ipa
clients, we are getting error,
*ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (KDC
returned error string: NOT_ALLOWED_TO_DELEGATE)*
What we have noticed is, memberPrincipal: HTTP/ipa02.teloip.net at TELOIP.NET
missing on both master and replica servers
IPA Master,
[root at ipa01 ~]# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
# extended LDIF
#
# LDAPv3
# base <cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ipa-http-delegation, s4u2proxy, etc, teloip.net
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
cn: ipa-http-delegation
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root at ipa01 ~]#
IPA Replica,
[root at ipa02 /]# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
# extended LDIF
#
# LDAPv3
# base <cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ipa-http-delegation, s4u2proxy, etc, teloip.net
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-http-delegation
memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Your help is highly appreciated,
Linov Suresh.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160805/55305ed0/attachment.htm>
More information about the Freeipa-users
mailing list