<div dir="ltr">I ran <span style="font-size:12.8px"> ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 is missing on both master and replica servers. Do we need to add IPA server 2, ipa02 on both master and replica? </span><div><span style="font-size:12.8px"><br></span></div><div><div style=""><span style="font-size:12.8px"><b>[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://<a href="http://ipa01.teloip.net">ipa01.teloip.net</a> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"</b></span></div><div style=""><span style="font-size:12.8px">SASL/GSSAPI authentication started</span></div><div style=""><span style="font-size:12.8px">SASL username: <a href="mailto:admin@TELOIP.NET">admin@TELOIP.NET</a></span></div><div style=""><span style="font-size:12.8px">SASL SSF: 56</span></div><div style=""><span style="font-size:12.8px">SASL data security layer installed.</span></div><div style=""><span style="font-size:12.8px"># extended LDIF</span></div><div style=""><span style="font-size:12.8px">#</span></div><div style=""><span style="font-size:12.8px"># LDAPv3</span></div><div style=""><span style="font-size:12.8px"># base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree</span></div><div style=""><span style="font-size:12.8px"># filter: (objectclass=*)</span></div><div style=""><span style="font-size:12.8px"># requesting: ALL</span></div><div style=""><span style="font-size:12.8px">#</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">objectClass: nsContainer</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px">cn: s4u2proxy</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># ipa-http-delegation, s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">objectClass: ipaKrb5DelegationACL</span></div><div style=""><span style="font-size:12.8px">objectClass: groupOfPrincipals</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px">ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px"><b>memberPrincipal: HTTP/<a href="mailto:ipa01.teloip.net@TELOIP.NET">ipa01.teloip.net@TELOIP.NET</a></b></span></div><div style=""><span style="font-size:12.8px">cn: ipa-http-delegation</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># ipa-cifs-delegation-targets, s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">objectClass: groupOfPrincipals</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px">cn: ipa-cifs-delegation-targets</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># ipa-ldap-delegation-targets, s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">objectClass: groupOfPrincipals</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px"><b>memberPrincipal: ldap/<a href="mailto:ipa01.teloip.net@TELOIP.NET">ipa01.teloip.net@TELOIP.NET</a></b></span></div><div style=""><span style="font-size:12.8px">cn: ipa-ldap-delegation-targets</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># search result</span></div><div style=""><span style="font-size:12.8px">search: 4</span></div><div style=""><span style="font-size:12.8px">result: 0 Success</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># numResponses: 5</span></div><div style=""><span style="font-size:12.8px"># numEntries: 4</span></div><div style=""><span style="font-size:12.8px">[root@ipa01 ~]#</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><div style=""><span style="font-size:12.8px"><b>[root@ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://<a href="http://ipa02.teloip.net">ipa02.teloip.net</a> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"</b></span></div><div style=""><span style="font-size:12.8px">SASL/GSSAPI authentication started</span></div><div style=""><span style="font-size:12.8px">SASL username: <a href="mailto:admin@TELOIP.NET">admin@TELOIP.NET</a></span></div><div style=""><span style="font-size:12.8px">SASL SSF: 56</span></div><div style=""><span style="font-size:12.8px">SASL data security layer installed.</span></div><div style=""><span style="font-size:12.8px"># extended LDIF</span></div><div style=""><span style="font-size:12.8px">#</span></div><div style=""><span style="font-size:12.8px"># LDAPv3</span></div><div style=""><span style="font-size:12.8px"># base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree</span></div><div style=""><span style="font-size:12.8px"># filter: (objectclass=*)</span></div><div style=""><span style="font-size:12.8px"># requesting: ALL</span></div><div style=""><span style="font-size:12.8px">#</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">cn: s4u2proxy</span></div><div style=""><span style="font-size:12.8px">objectClass: nsContainer</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># ipa-http-delegation, s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">cn: ipa-http-delegation</span></div><div style=""><span style="font-size:12.8px"><b>memberPrincipal: HTTP/<a href="mailto:ipa01.teloip.net@TELOIP.NET">ipa01.teloip.net@TELOIP.NET</a></b></span></div><div style=""><span style="font-size:12.8px">ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">objectClass: ipaKrb5DelegationACL</span></div><div style=""><span style="font-size:12.8px">objectClass: groupOfPrincipals</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># ipa-cifs-delegation-targets, s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">cn: ipa-cifs-delegation-targets</span></div><div style=""><span style="font-size:12.8px">objectClass: groupOfPrincipals</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># ipa-ldap-delegation-targets, s4u2proxy, etc, <a href="http://teloip.net">teloip.net</a></span></div><div style=""><span style="font-size:12.8px">dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net</span></div><div style=""><span style="font-size:12.8px">cn: ipa-ldap-delegation-targets</span></div><div style=""><span style="font-size:12.8px"><b>memberPrincipal: ldap/<a href="mailto:ipa01.teloip.net@TELOIP.NET">ipa01.teloip.net@TELOIP.NET</a></b></span></div><div style=""><span style="font-size:12.8px">objectClass: groupOfPrincipals</span></div><div style=""><span style="font-size:12.8px">objectClass: top</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># search result</span></div><div style=""><span style="font-size:12.8px">search: 4</span></div><div style=""><span style="font-size:12.8px">result: 0 Success</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px"># numResponses: 5</span></div><div style=""><span style="font-size:12.8px"># numEntries: 4</span></div><div style=""><span style="font-size:12.8px">[root@ipa02 ~]#</span></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">Appreciate your help,</div><div class="gmail_extra"><br></div><div class="gmail_extra">Linov Suresh. <div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="background-color:rgb(255,255,255)"><ul style="margin:0px;padding:0px 0px 8px;border:0px;outline:0px;font-size:12px;font-family:Helvetica,FreeSans,"Liberation Sans",Helmet,Arial,sans-serif;vertical-align:baseline;list-style:none;line-height:17px;display:table-cell;width:504px;color:rgb(51,51,51)"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;line-height:normal"><br></div></ul></div></div></div></div></div> <br><div class="gmail_quote">On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Linov Suresh wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Look like our issue is discussed here, and *is **missing one or more<br> memberPrincipal*.<span class=""><br> <br> <a href="https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html" rel="noreferrer" target="_blank">https://www.redhat.com/archive<wbr>s/freeipa-users/2013-April/<wbr>msg00228.html</a><br> <br> When I tried to add the Principal, I'm getting error,<br> </span></blockquote> <br> You didn't follow the instructions in the e-mail thread. The problem isn't a principal that doesn't exist, it is a principal not in the delegation list. Do the ldapsearch's and see what is missing (and you'll need to use -Y GSSAPI instead of -x) then add it using ldapmodify.<br> <br> Only under very specific circumstances would I ever recommend using kadmin.local.<br> <br> rob<br> <br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class=""> <br> <br> [root@ipa01 ~]# kadmin.local<br> Authenticating as principal admin/<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>> with password.<br> kadmin.local: addprinc -randkey HTTP/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>><span class=""><br> WARNING: no policy specified for HTTP/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br></span> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>; defaulting to no policy<span class=""><br> add_principal: Principal or policy already exists while creating<br></span> "HTTP/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.<wbr>NET</a> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>"<span class=""><br> <br> [root@ipa01 ~]# kadmin.local<br> Authenticating as principal admin/<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>> with password.<br> kadmin.local: addprinc -randkey ldap/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>><span class=""><br> WARNING: no policy specified for ldap/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.N<wbr>ET</a><br></span> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>; defaulting to no policy<span class=""><br> add_principal: Principal or policy already exists while creating<br></span> "ldap/<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOIP.<wbr>NET</a> <mailto:<a href="mailto:ipa02.teloip.net@TELOIP.NET" target="_blank">ipa02.teloip.net@TELOI<wbr>P.NET</a>>".<br> <br> Could you please help us to fix the "*KDC returned error string:<br> NOT_ALLOWED_TO_DELEGATE*" error?<span class=""><br> <br> <br> [root@caer ~]# kadmin.local<br> Authenticating as principal admin/<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a><br></span> <mailto:<a href="mailto:admin@TELOIP.NET" target="_blank">admin@TELOIP.NET</a>> with password.<br> kadmin.local: addprinc -randkey HTTP/<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP.NE<wbr>T</a><br> <mailto:<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP<wbr>.NET</a>><span class=""><br> WARNING: no policy specified for HTTP/<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP.NE<wbr>T</a><br></span> <mailto:<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP<wbr>.NET</a>>; defaulting to no policy<span class=""><br> add_principal: Principal or policy already exists while creating<br></span> "HTTP/<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP.N<wbr>ET</a> <mailto:<a href="mailto:neit.teloip.net@TELOIP.NET" target="_blank">neit.teloip.net@TELOIP<wbr>.NET</a>>"<span class=""><br> <br> <br> <br> <br> <br> <br> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a><br></span><span class=""> <mailto:<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>>> wrote:<br> <br> On 08/16/2016 09:25 AM, Petr Spacek wrote:<br> > On 15.8.2016 20:18, Linov Suresh wrote:<br> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0<br> >><br> >><br> >> We can only add the clients from IPA Server 01, not from IPA Server 02.<br> >> When I tried to add the client from IPA Server 02, getting the error,<br> >><br> >><br> >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:<br> >> Unspecified GSS failure. Minor code may provide more information (KDC<br> >> returned error string: NOT_ALLOWED_TO_DELEGATE)<br> >><br> >> SASL/GSSAPI authentication started<br> >><br></span> >> SASL <a href="mailto:username%3Avpham@EXAMPLE.NET" target="_blank">username:vpham@EXAMPLE.NET</a> <mailto:<a href="mailto:vpham@EXAMPLE.NET" target="_blank">vpham@EXAMPLE.NET</a>><span class=""><br> >><br> >> SASL SSF: 56<br> >><br> >> SASL data security layer installed.<br> >><br> >> ldap_modify: No such object (32)<br> >><br> >> additional info: Range Check error<br> >><br></span> >> modifying entry "fqdn=<a href="http://cpe-5061747522f9.example.net" rel="noreferrer" target="_blank">cpe-5061747522f9.example<wbr>.net</a> <<a href="http://cpe-5061747522f9.example.net" rel="noreferrer" target="_blank">http://cpe-5061747522f9.examp<wbr>le.net</a>><span class=""><br> >> ,cn=computers,cn=accounts,dc=e<wbr>xample,dc=net"<br> >><br> >><br> >> Could you please help us to fix this?<br> ><br> > We need to see exact steps you did before we can give you any<br> meaningful advice.<br> ><br> > Please have a look at<br> > <a href="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html" rel="noreferrer" target="_blank">http://www.chiark.greenend.org<wbr>.uk/~sgtatham/bugs.html</a><br> <<a href="http://www.chiark.greenend.org.uk/~sgtatham/bugs.html" rel="noreferrer" target="_blank">http://www.chiark.greenend.or<wbr>g.uk/~sgtatham/bugs.html</a>><br> ><br> > It is a very nice document which describes general bug reporting<br> procedure and<br> > best practices.<br> ><br> > We will certainly have a look but we need first see the<br> information :-)<br> ><br> <br> Also, using IPA on RHEL-6.4 is discouraged. This is a really old<br> release and<br> there are known issues (in cert renewals for example). Using at<br> least RHEL-6.8<br> or, even better, RHEL-7.2 is preferred and would help you avoid<br> known issues<br> and deficiencies (and the newer FreeIPA versions are way cooler anyway).<br> <br> <br> <br> <br> </span></blockquote> <br> </blockquote></div><br></div></div></div>