[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

Rob Crittenden rcritten at redhat.com
Wed Aug 24 20:32:30 UTC 2016 

Linov Suresh wrote:
> Look like our issue is discussed here, and *is **missing one or more
> memberPrincipal*.
>
> https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html
>
> When I tried to add the Principal, I'm getting error,

You didn't follow the instructions in the e-mail thread. The problem 
isn't a principal that doesn't exist, it is a principal not in the 
delegation list. Do the ldapsearch's and see what is missing (and you'll 
need to use -Y GSSAPI instead of -x) then add it using ldapmodify.

Only under very specific circumstances would I ever recommend using 
kadmin.local.

rob

>
>
> [root at ipa01 ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET> with password.
> kadmin.local:  addprinc -randkey HTTP/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> WARNING: no policy specified for HTTP/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "HTTP/ipa02.teloip.net at TELOIP.NET <mailto:ipa02.teloip.net at TELOIP.NET>"
>
> [root at ipa01 ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET> with password.
> kadmin.local:  addprinc -randkey ldap/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> WARNING: no policy specified for ldap/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "ldap/ipa02.teloip.net at TELOIP.NET <mailto:ipa02.teloip.net at TELOIP.NET>".
>
> Could you please help us to fix the "*KDC returned error string:
> NOT_ALLOWED_TO_DELEGATE*" error?
>
>
> [root at caer ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET> with password.
> kadmin.local:  addprinc -randkey HTTP/neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>
> WARNING: no policy specified for HTTP/neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "HTTP/neit.teloip.net at TELOIP.NET <mailto:neit.teloip.net at TELOIP.NET>"
>
>
>
>
>
>
> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
>     On 08/16/2016 09:25 AM, Petr Spacek wrote:
>     > On 15.8.2016 20:18, Linov Suresh wrote:
>     >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
>     >>
>     >>
>     >> We can only add the clients from IPA Server 01, not from IPA Server 02.
>     >> When I tried to add the client from IPA Server 02, getting the error,
>     >>
>     >>
>     >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
>     >> Unspecified GSS failure.  Minor code may provide more information (KDC
>     >> returned error string: NOT_ALLOWED_TO_DELEGATE)
>     >>
>     >> SASL/GSSAPI authentication started
>     >>
>     >> SASL username:vpham at EXAMPLE.NET <mailto:vpham at EXAMPLE.NET>
>     >>
>     >> SASL SSF: 56
>     >>
>     >> SASL data security layer installed.
>     >>
>     >> ldap_modify: No such object (32)
>     >>
>     >>         additional info: Range Check error
>     >>
>     >> modifying entry "fqdn=cpe-5061747522f9.example.net <http://cpe-5061747522f9.example.net>
>     >> ,cn=computers,cn=accounts,dc=example,dc=net"
>     >>
>     >>
>     >> Could you please help us to fix this?
>     >
>      > We need to see exact steps you did before we can give you any
>     meaningful advice.
>      >
>      > Please have a look at
>      > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
>     <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
>      >
>      > It is a very nice document which describes general bug reporting
>     procedure and
>      > best practices.
>      >
>      > We will certainly have a look but we need first see the
>     information :-)
>      >
>
>     Also, using IPA on RHEL-6.4 is discouraged. This is a really old
>     release and
>     there are known issues (in cert renewals for example). Using at
>     least RHEL-6.8
>     or, even better, RHEL-7.2 is preferred and would help you avoid
>     known issues
>     and deficiencies (and the newer FreeIPA versions are way cooler anyway).
>
>
>
>

More information about the Freeipa-users mailing list