[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE
Rob Crittenden
rcritten at redhat.com
Thu Aug 25 19:49:09 UTC 2016
Linov Suresh wrote:
> I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02
> is missing on both master and replica servers. Do we need to add IPA
> server 2, ipa02 on both master and replica?
No, it should replicate. I find it very strange that these are missing.
I wonder what else wasn't setup when the replica was created.
In any case, this will add the entries:
# ldapmodify -Y GSSAPI
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
changetype: modify
add: memberPrincipal
memberPrincipal: HTTP/ipa02.teloip.net at TELOIP.NET
^D
# ldapmodify -Y GSAPI
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
hangetype: modify
add: memberPrincipal
memberPrincipal: ldap/ipa02.teloip.net at TELOIP.NET
^D
rob
>
> *[root at ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net
> <http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
> SASL/GSSAPI authentication started
> SASL username: admin at TELOIP.NET <mailto:admin at TELOIP.NET>
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # s4u2proxy, etc, teloip.net <http://teloip.net>
> dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> objectClass: nsContainer
> objectClass: top
> cn: s4u2proxy
>
> # ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> objectClass: ipaKrb5DelegationACL
> objectClass: groupOfPrincipals
> objectClass: top
> ipaAllowedTarget:
> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> ipaAllowedTarget:
> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> *memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
> <mailto:ipa01.teloip.net at TELOIP.NET>*
> cn: ipa-http-delegation
>
> # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
> <http://teloip.net>
> dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> objectClass: groupOfPrincipals
> objectClass: top
> cn: ipa-cifs-delegation-targets
>
> # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
> <http://teloip.net>
> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> objectClass: groupOfPrincipals
> objectClass: top
> *memberPrincipal: ldap/ipa01.teloip.net at TELOIP.NET
> <mailto:ipa01.teloip.net at TELOIP.NET>*
> cn: ipa-ldap-delegation-targets
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 4
> [root at ipa01 ~]#
>
> *[root at ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://ipa02.teloip.net
> <http://ipa02.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
> SASL/GSSAPI authentication started
> SASL username: admin at TELOIP.NET <mailto:admin at TELOIP.NET>
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # s4u2proxy, etc, teloip.net <http://teloip.net>
> dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> cn: s4u2proxy
> objectClass: nsContainer
> objectClass: top
>
> # ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> cn: ipa-http-delegation
> *memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
> <mailto:ipa01.teloip.net at TELOIP.NET>*
> ipaAllowedTarget:
> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> ipaAllowedTarget:
> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> objectClass: ipaKrb5DelegationACL
> objectClass: groupOfPrincipals
> objectClass: top
>
> # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
> <http://teloip.net>
> dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> cn: ipa-cifs-delegation-targets
> objectClass: groupOfPrincipals
> objectClass: top
>
> # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
> <http://teloip.net>
> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> cn: ipa-ldap-delegation-targets
> *memberPrincipal: ldap/ipa01.teloip.net at TELOIP.NET
> <mailto:ipa01.teloip.net at TELOIP.NET>*
> objectClass: groupOfPrincipals
> objectClass: top
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 5
> # numEntries: 4
> [root at ipa02 ~]#
>
> Appreciate your help,
>
> Linov Suresh.
>
>
>
> On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
> Linov Suresh wrote:
>
> Look like our issue is discussed here, and *is **missing one or more
> memberPrincipal*.
>
> https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html
> <https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html>
>
> When I tried to add the Principal, I'm getting error,
>
>
> You didn't follow the instructions in the e-mail thread. The problem
> isn't a principal that doesn't exist, it is a principal not in the
> delegation list. Do the ldapsearch's and see what is missing (and
> you'll need to use -Y GSSAPI instead of -x) then add it using
> ldapmodify.
>
> Only under very specific circumstances would I ever recommend using
> kadmin.local.
>
> rob
>
>
>
> [root at ipa01 ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET>
> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>> with password.
> kadmin.local: addprinc -randkey
> HTTP/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> <mailto:ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>>
> WARNING: no policy specified for
> HTTP/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> <mailto:ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "HTTP/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> <mailto:ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>>"
>
> [root at ipa01 ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET>
> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>> with password.
> kadmin.local: addprinc -randkey
> ldap/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> <mailto:ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>>
> WARNING: no policy specified for
> ldap/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> <mailto:ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "ldap/ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>
> <mailto:ipa02.teloip.net at TELOIP.NET
> <mailto:ipa02.teloip.net at TELOIP.NET>>".
>
> Could you please help us to fix the "*KDC returned error string:
> NOT_ALLOWED_TO_DELEGATE*" error?
>
>
> [root at caer ~]# kadmin.local
> Authenticating as principal admin/admin at TELOIP.NET
> <mailto:admin at TELOIP.NET>
> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>> with password.
> kadmin.local: addprinc -randkey HTTP/neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>
> <mailto:neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>>
> WARNING: no policy specified for HTTP/neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>
> <mailto:neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>>; defaulting to no policy
> add_principal: Principal or policy already exists while creating
> "HTTP/neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>
> <mailto:neit.teloip.net at TELOIP.NET
> <mailto:neit.teloip.net at TELOIP.NET>>"
>
>
>
>
>
>
> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>
> <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>> wrote:
>
> On 08/16/2016 09:25 AM, Petr Spacek wrote:
> > On 15.8.2016 20:18, Linov Suresh wrote:
> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
> >>
> >>
> >> We can only add the clients from IPA Server 01, not from
> IPA Server 02.
> >> When I tried to add the client from IPA Server 02,
> getting the error,
> >>
> >>
> >> ipa: ERROR: Insufficient access: SASL(-1): generic
> failure: GSSAPI Error:
> >> Unspecified GSS failure. Minor code may provide more
> information (KDC
> >> returned error string: NOT_ALLOWED_TO_DELEGATE)
> >>
> >> SASL/GSSAPI authentication started
> >>
> >> SASL username:vpham at EXAMPLE.NET
> <mailto:username%3Avpham at EXAMPLE.NET> <mailto:vpham at EXAMPLE.NET
> <mailto:vpham at EXAMPLE.NET>>
> >>
> >> SASL SSF: 56
> >>
> >> SASL data security layer installed.
> >>
> >> ldap_modify: No such object (32)
> >>
> >> additional info: Range Check error
> >>
> >> modifying entry "fqdn=cpe-5061747522f9.example.net
> <http://cpe-5061747522f9.example.net>
> <http://cpe-5061747522f9.example.net
> <http://cpe-5061747522f9.example.net>>
> >> ,cn=computers,cn=accounts,dc=example,dc=net"
> >>
> >>
> >> Could you please help us to fix this?
> >
> > We need to see exact steps you did before we can give
> you any
> meaningful advice.
> >
> > Please have a look at
> > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>>
> >
> > It is a very nice document which describes general bug
> reporting
> procedure and
> > best practices.
> >
> > We will certainly have a look but we need first see the
> information :-)
> >
>
> Also, using IPA on RHEL-6.4 is discouraged. This is a
> really old
> release and
> there are known issues (in cert renewals for example). Using at
> least RHEL-6.8
> or, even better, RHEL-7.2 is preferred and would help you avoid
> known issues
> and deficiencies (and the newer FreeIPA versions are way
> cooler anyway).
>
>
>
>
>
>
More information about the Freeipa-users
mailing list