<div dir="ltr"><div class="gmail_extra"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><div><div>IPA Server 1 do not have HTTP as well as ldap principal. Just wondering how do we add HTTP and ldap principal to the delegation list using ldapmodify.</div><div><br></div><div>I'm new to IPA, your help is appreciated. </div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Linov Suresh wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Look like our issue is discussed here, and *is **missing one or more<br>
memberPrincipal*.<span class=""><br>
<br>
<a href="https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html" rel="noreferrer" target="_blank">https://www.redhat.com/archive<wbr>s/freeipa-users/2013-April/<wbr>msg00228.html</a><br>
<br>
When I tried to add the Principal, I'm getting error,<br>
</span></blockquote>
<br>
You didn't follow the instructions in the e-mail thread. The problem isn't a principal that doesn't exist, it is a principal not in the delegation list. Do the ldapsearch's and see what is missing (and you'll need to use -Y GSSAPI instead of -x) then add it using ldapmodify.<br>
<br>
Only under very specific circumstances would I ever recommend using kadmin.local.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
<br>
<br>
[root@ipa01 ~]# kadmin.local<br>
Authenticating as principal admin/<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>> with password.<br>
kadmin.local: addprinc -randkey HTTP/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br>
<mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>><span class=""><br>
WARNING: no policy specified for HTTP/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br></span>
<mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>; defaulting to no policy<span class=""><br>
add_principal: Principal or policy already exists while creating<br></span>
"HTTP/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.<wbr>NET</a> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>"<span class=""><br>
<br>
[root@ipa01 ~]# kadmin.local<br>
Authenticating as principal admin/<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>> with password.<br>
kadmin.local: addprinc -randkey ldap/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br>
<mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>><span class=""><br>
WARNING: no policy specified for ldap/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br></span>
<mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>; defaulting to no policy<span class=""><br>
add_principal: Principal or policy already exists while creating<br></span>
"ldap/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.<wbr>NET</a> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>".<br>
<br>
Could you please help us to fix the "*KDC returned error string:<br>
NOT_ALLOWED_TO_DELEGATE*" error?<span class=""><br>
<br>
<br>
[root@caer ~]# kadmin.local<br>
Authenticating as principal admin/<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span>
<mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>> with password.<br>
kadmin.local: addprinc -randkey HTTP/<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP.NE<wbr>T</a><br>
<mailto:<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP<wbr>.NET</a>><span class=""><br>
WARNING: no policy specified for HTTP/<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP.NE<wbr>T</a><br></span>
<mailto:<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP<wbr>.NET</a>>; defaulting to no policy<span class=""><br>
add_principal: Principal or policy already exists while creating<br></span>
"HTTP/<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP.N<wbr>ET</a> <mailto:<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP<wbr>.NET</a>>"<span class=""><br>
<br>
<br>
<br>
<br>
<br>
<br>
On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br></span><span class="">
<mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>> wrote:<br>
<br>
On 08/16/2016 09:25 AM, Petr Spacek wrote:<br>
> On 15.8.2016 20:18, Linov Suresh wrote:<br>
>> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0<br>
>><br>
>><br>
>> We can only add the clients from IPA Server 01, not from IPA Server 02.<br>
>> When I tried to add the client from IPA Server 02, getting the error,<br>
>><br>
>><br>
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:<br>
>> Unspecified GSS failure. Minor code may provide more information (KDC<br>
>> returned error string: NOT_ALLOWED_TO_DELEGATE)<br>
>><br>
>> SASL/GSSAPI authentication started<br>
>><br></span>
>> SASL <a href="mailto:username%3Avpham@EXAMPLE.NET" target="_blank">username:vpham@EXAMPLE.NET</a> <mailto:<a href="mailto:vpham@EXAMPLE.NET" target="_blank">vpham@EXAMPLE.NET</a>><span class=""><br>
>><br>
>> SASL SSF: 56<br>
>><br>
>> SASL data security layer installed.<br>
>><br>
>> ldap_modify: No such object (32)<br>
>><br>
>> additional info: Range Check error<br>
>><br></span>
>> modifying entry "fqdn=<a href="http://cpe-5061747522f9.example.net" rel="noreferrer" target="_blank">cpe-5061747522f9.example<wbr>.net</a> <<a href="http://cpe-5061747522f9.example.net" rel="noreferrer" target="_blank">http://cpe-5061747522f9.examp<wbr>le.net</a>><span class=""><br>
>> ,cn=computers,cn=accounts,dc=e<wbr>xample,dc=net"<br>
>><br>
>><br>
>> Could you please help us to fix this?<br>
><br>
> We need to see exact steps you did before we can give you any<br>
meaningful advice.<br>
><br>
> Please have a look at<br>
> <a href="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html" rel="noreferrer" target="_blank">http://www.chiark.greenend.org<wbr>.uk/~sgtatham/bugs.html</a><br>
<<a href="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html" rel="noreferrer" target="_blank">http://www.chiark.greenend.or<wbr>g.uk/~sgtatham/bugs.html</a>><br>
><br>
> It is a very nice document which describes general bug reporting<br>
procedure and<br>
> best practices.<br>
><br>
> We will certainly have a look but we need first see the<br>
information :-)<br>
><br>
<br>
Also, using IPA on RHEL-6.4 is discouraged. This is a really old<br>
release and<br>
there are known issues (in cert renewals for example). Using at<br>
least RHEL-6.8<br>
or, even better, RHEL-7.2 is preferred and would help you avoid<br>
known issues<br>
and deficiencies (and the newer FreeIPA versions are way cooler anyway).<br>
<br>
<br>
<br>
<br>
</span></blockquote>
<br>
</blockquote></div><br></div></div>