[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE
Rob Crittenden
rcritten at redhat.com
Wed Aug 24 20:32:30 UTC 2016
Linov Suresh wrote:
> Look like our issue is discussed here, and *is **missing one or more
> memberPrincipal*.
>
> https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html
>
> When I tried to add the Principal, I'm getting error,
You didn't follow the instructions in the e-mail thread. The problem
isn't a principal that doesn't exist, it is a principal not in the
delegation list. Do the ldapsearch's and see what is missing (and you'll
need to use -Y GSSAPI instead of -x) then add it using ldapmodify.
Only under very specific circumstances would I ever recommend using
kadmin.local.
rob
>
>
> [root at ipa01 ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET> with password.
> kadmin.local: addprinc -randkey HTTP/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> WARNING: no policy specified for HTTP/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "HTTP/ipa02.teloip.net at TELOIP.NET <mailto:ipa02.teloip.net at TELOIP.NET>"
>
> [root at ipa01 ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET> with password.
> kadmin.local: addprinc -randkey ldap/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> WARNING: no policy specified for ldap/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "ldap/ipa02.teloip.net at TELOIP.NET <mailto:ipa02.teloip.net at TELOIP.NET>".
>
> Could you please help us to fix the "*KDC returned error string:
> NOT_ALLOWED_TO_DELEGATE*" error?
>
>
> [root at caer ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET> with password.
> kadmin.local: addprinc -randkey HTTP/neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>
> WARNING: no policy specified for HTTP/neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "HTTP/neit.teloip.net at TELOIP.NET <mailto:neit.teloip.net at TELOIP.NET>"
>
>
>
>
>
>
> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 08/16/2016 09:25 AM, Petr Spacek wrote:
> > On 15.8.2016 20:18, Linov Suresh wrote:
> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
> >>
> >>
> >> We can only add the clients from IPA Server 01, not from IPA Server 02.
> >> When I tried to add the client from IPA Server 02, getting the error,
> >>
> >>
> >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
> >> Unspecified GSS failure. Minor code may provide more information (KDC
> >> returned error string: NOT_ALLOWED_TO_DELEGATE)
> >>
> >> SASL/GSSAPI authentication started
> >>
> >> SASL username:vpham at EXAMPLE.NET <mailto:vpham at EXAMPLE.NET>
> >>
> >> SASL SSF: 56
> >>
> >> SASL data security layer installed.
> >>
> >> ldap_modify: No such object (32)
> >>
> >> additional info: Range Check error
> >>
> >> modifying entry "fqdn=cpe-5061747522f9.example.net <http://cpe-5061747522f9.example.net>
> >> ,cn=computers,cn=accounts,dc=example,dc=net"
> >>
> >>
> >> Could you please help us to fix this?
> >
> > We need to see exact steps you did before we can give you any
> meaningful advice.
> >
> > Please have a look at
> > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
> >
> > It is a very nice document which describes general bug reporting
> procedure and
> > best practices.
> >
> > We will certainly have a look but we need first see the
> information :-)
> >
>
> Also, using IPA on RHEL-6.4 is discouraged. This is a really old
> release and
> there are known issues (in cert renewals for example). Using at
> least RHEL-6.8
> or, even better, RHEL-7.2 is preferred and would help you avoid
> known issues
> and deficiencies (and the newer FreeIPA versions are way cooler anyway).
>
>
>
>
More information about the Freeipa-users
mailing list