[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE
Linov Suresh
linov.suresh at gmail.com
Thu Aug 25 19:38:49 UTC 2016
I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 is
missing on both master and replica servers. Do we need to add IPA server 2,
ipa02 on both master and replica?
*[root at ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net
<http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
SASL/GSSAPI authentication started
SASL username: admin at TELOIP.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# s4u2proxy, etc, teloip.net
dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: nsContainer
objectClass: top
cn: s4u2proxy
# ipa-http-delegation, s4u2proxy, etc, teloip.net
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
*memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
<ipa01.teloip.net at TELOIP.NET>*
cn: ipa-http-delegation
# ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets
# ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: groupOfPrincipals
objectClass: top
*memberPrincipal: ldap/ipa01.teloip.net at TELOIP.NET
<ipa01.teloip.net at TELOIP.NET>*
cn: ipa-ldap-delegation-targets
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 4
[root at ipa01 ~]#
*[root at ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://ipa02.teloip.net
<http://ipa02.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
SASL/GSSAPI authentication started
SASL username: admin at TELOIP.NET
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# s4u2proxy, etc, teloip.net
dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: s4u2proxy
objectClass: nsContainer
objectClass: top
# ipa-http-delegation, s4u2proxy, etc, teloip.net
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-http-delegation
*memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
<ipa01.teloip.net at TELOIP.NET>*
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
# ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-cifs-delegation-targets
objectClass: groupOfPrincipals
objectClass: top
# ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-ldap-delegation-targets
*memberPrincipal: ldap/ipa01.teloip.net at TELOIP.NET
<ipa01.teloip.net at TELOIP.NET>*
objectClass: groupOfPrincipals
objectClass: top
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 4
[root at ipa02 ~]#
Appreciate your help,
Linov Suresh.
On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Linov Suresh wrote:
>
>> Look like our issue is discussed here, and *is **missing one or more
>> memberPrincipal*.
>>
>> https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html
>>
>> When I tried to add the Principal, I'm getting error,
>>
>
> You didn't follow the instructions in the e-mail thread. The problem isn't
> a principal that doesn't exist, it is a principal not in the delegation
> list. Do the ldapsearch's and see what is missing (and you'll need to use
> -Y GSSAPI instead of -x) then add it using ldapmodify.
>
> Only under very specific circumstances would I ever recommend using
> kadmin.local.
>
> rob
>
>
>>
>> [root at ipa01 ~]# kadmin.local
>> Authenticating as principal admin/admin at TELOIP.NET
>> <mailto:admin at TELOIP.NET> with password.
>> kadmin.local: addprinc -randkey HTTP/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> WARNING: no policy specified for HTTP/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>; defaulting to no policy
>> add_principal: Principal or policy already exists while creating
>> "HTTP/ipa02.teloip.net at TELOIP.NET <mailto:ipa02.teloip.net at TELOIP.NET>"
>>
>> [root at ipa01 ~]# kadmin.local
>> Authenticating as principal admin/admin at TELOIP.NET
>> <mailto:admin at TELOIP.NET> with password.
>> kadmin.local: addprinc -randkey ldap/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> WARNING: no policy specified for ldap/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>; defaulting to no policy
>> add_principal: Principal or policy already exists while creating
>> "ldap/ipa02.teloip.net at TELOIP.NET <mailto:ipa02.teloip.net at TELOIP.NET>".
>>
>> Could you please help us to fix the "*KDC returned error string:
>> NOT_ALLOWED_TO_DELEGATE*" error?
>>
>>
>> [root at caer ~]# kadmin.local
>> Authenticating as principal admin/admin at TELOIP.NET
>> <mailto:admin at TELOIP.NET> with password.
>> kadmin.local: addprinc -randkey HTTP/neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>
>> WARNING: no policy specified for HTTP/neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>; defaulting to no policy
>> add_principal: Principal or policy already exists while creating
>> "HTTP/neit.teloip.net at TELOIP.NET <mailto:neit.teloip.net at TELOIP.NET>"
>>
>>
>>
>>
>>
>>
>> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>> wrote:
>>
>> On 08/16/2016 09:25 AM, Petr Spacek wrote:
>> > On 15.8.2016 20:18, Linov Suresh wrote:
>> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
>> >>
>> >>
>> >> We can only add the clients from IPA Server 01, not from IPA
>> Server 02.
>> >> When I tried to add the client from IPA Server 02, getting the
>> error,
>> >>
>> >>
>> >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>> Error:
>> >> Unspecified GSS failure. Minor code may provide more information
>> (KDC
>> >> returned error string: NOT_ALLOWED_TO_DELEGATE)
>> >>
>> >> SASL/GSSAPI authentication started
>> >>
>> >> SASL username:vpham at EXAMPLE.NET <mailto:vpham at EXAMPLE.NET>
>> >>
>> >> SASL SSF: 56
>> >>
>> >> SASL data security layer installed.
>> >>
>> >> ldap_modify: No such object (32)
>> >>
>> >> additional info: Range Check error
>> >>
>> >> modifying entry "fqdn=cpe-5061747522f9.example.net <
>> http://cpe-5061747522f9.example.net>
>> >> ,cn=computers,cn=accounts,dc=example,dc=net"
>> >>
>> >>
>> >> Could you please help us to fix this?
>> >
>> > We need to see exact steps you did before we can give you any
>> meaningful advice.
>> >
>> > Please have a look at
>> > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
>> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
>> >
>> > It is a very nice document which describes general bug reporting
>> procedure and
>> > best practices.
>> >
>> > We will certainly have a look but we need first see the
>> information :-)
>> >
>>
>> Also, using IPA on RHEL-6.4 is discouraged. This is a really old
>> release and
>> there are known issues (in cert renewals for example). Using at
>> least RHEL-6.8
>> or, even better, RHEL-7.2 is preferred and would help you avoid
>> known issues
>> and deficiencies (and the newer FreeIPA versions are way cooler
>> anyway).
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160825/3dc78c4a/attachment.htm>
More information about the Freeipa-users
mailing list