[Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE
Linov Suresh
linov.suresh at gmail.com
Thu Aug 25 20:14:58 UTC 2016
Great! That worked.
Thank you so much Rob. Your help is highly appreciated.
On Thu, Aug 25, 2016 at 3:49 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Linov Suresh wrote:
>
>> I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02
>> is missing on both master and replica servers. Do we need to add IPA
>> server 2, ipa02 on both master and replica?
>>
>
> No, it should replicate. I find it very strange that these are missing. I
> wonder what else wasn't setup when the replica was created.
>
> In any case, this will add the entries:
>
> # ldapmodify -Y GSSAPI
> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> changetype: modify
> add: memberPrincipal
> memberPrincipal: HTTP/ipa02.teloip.net at TELOIP.NET
>
> ^D
>
> # ldapmodify -Y GSAPI
> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
> hangetype: modify
> add: memberPrincipal
> memberPrincipal: ldap/ipa02.teloip.net at TELOIP.NET
>
> ^D
>
> rob
>
>>
>> *[root at ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net
>> <http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
>> SASL/GSSAPI authentication started
>> SASL username: admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # s4u2proxy, etc, teloip.net <http://teloip.net>
>> dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> objectClass: nsContainer
>> objectClass: top
>> cn: s4u2proxy
>>
>> # ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> objectClass: ipaKrb5DelegationACL
>> objectClass: groupOfPrincipals
>> objectClass: top
>> ipaAllowedTarget:
>> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> ipaAllowedTarget:
>> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> *memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
>> <mailto:ipa01.teloip.net at TELOIP.NET>*
>> cn: ipa-http-delegation
>>
>> # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
>> <http://teloip.net>
>> dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> objectClass: groupOfPrincipals
>> objectClass: top
>> cn: ipa-cifs-delegation-targets
>>
>> # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
>> <http://teloip.net>
>> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> objectClass: groupOfPrincipals
>> objectClass: top
>> *memberPrincipal: ldap/ipa01.teloip.net at TELOIP.NET
>> <mailto:ipa01.teloip.net at TELOIP.NET>*
>> cn: ipa-ldap-delegation-targets
>>
>> # search result
>> search: 4
>> result: 0 Success
>>
>> # numResponses: 5
>> # numEntries: 4
>> [root at ipa01 ~]#
>>
>> *[root at ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://ipa02.teloip.net
>> <http://ipa02.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
>> SASL/GSSAPI authentication started
>> SASL username: admin at TELOIP.NET <mailto:admin at TELOIP.NET>
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # s4u2proxy, etc, teloip.net <http://teloip.net>
>> dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> cn: s4u2proxy
>> objectClass: nsContainer
>> objectClass: top
>>
>> # ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
>> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> cn: ipa-http-delegation
>> *memberPrincipal: HTTP/ipa01.teloip.net at TELOIP.NET
>> <mailto:ipa01.teloip.net at TELOIP.NET>*
>> ipaAllowedTarget:
>> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> ipaAllowedTarget:
>> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> objectClass: ipaKrb5DelegationACL
>> objectClass: groupOfPrincipals
>> objectClass: top
>>
>> # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
>> <http://teloip.net>
>> dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> cn: ipa-cifs-delegation-targets
>> objectClass: groupOfPrincipals
>> objectClass: top
>>
>> # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
>> <http://teloip.net>
>> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
>> cn: ipa-ldap-delegation-targets
>> *memberPrincipal: ldap/ipa01.teloip.net at TELOIP.NET
>> <mailto:ipa01.teloip.net at TELOIP.NET>*
>> objectClass: groupOfPrincipals
>> objectClass: top
>>
>> # search result
>> search: 4
>> result: 0 Success
>>
>> # numResponses: 5
>> # numEntries: 4
>> [root at ipa02 ~]#
>>
>> Appreciate your help,
>>
>> Linov Suresh.
>>
>>
>>
>> On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Linov Suresh wrote:
>>
>> Look like our issue is discussed here, and *is **missing one or
>> more
>> memberPrincipal*.
>>
>> https://www.redhat.com/archives/freeipa-users/2013-April/
>> msg00228.html
>> <https://www.redhat.com/archives/freeipa-users/2013-April/
>> msg00228.html>
>>
>> When I tried to add the Principal, I'm getting error,
>>
>>
>> You didn't follow the instructions in the e-mail thread. The problem
>> isn't a principal that doesn't exist, it is a principal not in the
>> delegation list. Do the ldapsearch's and see what is missing (and
>> you'll need to use -Y GSSAPI instead of -x) then add it using
>> ldapmodify.
>>
>> Only under very specific circumstances would I ever recommend using
>> kadmin.local.
>>
>> rob
>>
>>
>>
>> [root at ipa01 ~]# kadmin.local
>> Authenticating as principal admin/admin at TELOIP.NET
>> <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>> with
>> password.
>> kadmin.local: addprinc -randkey
>> HTTP/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> <mailto:ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>>
>> WARNING: no policy specified for
>> HTTP/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> <mailto:ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>>; defaulting to no policy
>> add_principal: Principal or policy already exists while creating
>> "HTTP/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> <mailto:ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>>"
>>
>> [root at ipa01 ~]# kadmin.local
>> Authenticating as principal admin/admin at TELOIP.NET
>> <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>> with
>> password.
>> kadmin.local: addprinc -randkey
>> ldap/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> <mailto:ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>>
>> WARNING: no policy specified for
>> ldap/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> <mailto:ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>>; defaulting to no policy
>> add_principal: Principal or policy already exists while creating
>> "ldap/ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>
>> <mailto:ipa02.teloip.net at TELOIP.NET
>> <mailto:ipa02.teloip.net at TELOIP.NET>>".
>>
>> Could you please help us to fix the "*KDC returned error string:
>> NOT_ALLOWED_TO_DELEGATE*" error?
>>
>>
>> [root at caer ~]# kadmin.local
>> Authenticating as principal admin/admin at TELOIP.NET
>> <mailto:admin at TELOIP.NET>
>> <mailto:admin at TELOIP.NET <mailto:admin at TELOIP.NET>> with
>> password.
>> kadmin.local: addprinc -randkey HTTP/neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>
>> <mailto:neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>>
>> WARNING: no policy specified for HTTP/neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>
>> <mailto:neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>>; defaulting to no policy
>> add_principal: Principal or policy already exists while creating
>> "HTTP/neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>
>> <mailto:neit.teloip.net at TELOIP.NET
>> <mailto:neit.teloip.net at TELOIP.NET>>"
>>
>>
>>
>>
>>
>>
>> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mkosek at redhat.com
>> <mailto:mkosek at redhat.com>
>> <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>> wrote:
>>
>> On 08/16/2016 09:25 AM, Petr Spacek wrote:
>> > On 15.8.2016 20:18, Linov Suresh wrote:
>> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA
>> 3.0.0
>> >>
>> >>
>> >> We can only add the clients from IPA Server 01, not from
>> IPA Server 02.
>> >> When I tried to add the client from IPA Server 02,
>> getting the error,
>> >>
>> >>
>> >> ipa: ERROR: Insufficient access: SASL(-1): generic
>> failure: GSSAPI Error:
>> >> Unspecified GSS failure. Minor code may provide more
>> information (KDC
>> >> returned error string: NOT_ALLOWED_TO_DELEGATE)
>> >>
>> >> SASL/GSSAPI authentication started
>> >>
>> >> SASL username:vpham at EXAMPLE.NET
>> <mailto:username%3Avpham at EXAMPLE.NET> <mailto:vpham at EXAMPLE.NET
>> <mailto:vpham at EXAMPLE.NET>>
>> >>
>> >> SASL SSF: 56
>> >>
>> >> SASL data security layer installed.
>> >>
>> >> ldap_modify: No such object (32)
>> >>
>> >> additional info: Range Check error
>> >>
>> >> modifying entry "fqdn=cpe-5061747522f9.example.net
>> <http://cpe-5061747522f9.example.net>
>> <http://cpe-5061747522f9.example.net
>>
>> <http://cpe-5061747522f9.example.net>>
>> >> ,cn=computers,cn=accounts,dc=example,dc=net"
>> >>
>> >>
>> >> Could you please help us to fix this?
>> >
>> > We need to see exact steps you did before we can give
>> you any
>> meaningful advice.
>> >
>> > Please have a look at
>> > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
>> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
>> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
>> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>>
>> >
>> > It is a very nice document which describes general bug
>> reporting
>> procedure and
>> > best practices.
>> >
>> > We will certainly have a look but we need first see the
>> information :-)
>> >
>>
>> Also, using IPA on RHEL-6.4 is discouraged. This is a
>> really old
>> release and
>> there are known issues (in cert renewals for example). Using
>> at
>> least RHEL-6.8
>> or, even better, RHEL-7.2 is preferred and would help you
>> avoid
>> known issues
>> and deficiencies (and the newer FreeIPA versions are way
>> cooler anyway).
>>
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160825/2dbe8790/attachment.htm>
More information about the Freeipa-users
mailing list