subject:"\[Freeipa\-users\] Insufficient access"

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-27 Thread bahan w

Help ?

Best regards.

Bahan

On Tue, Oct 25, 2016 at 1:00 PM, bahan w  wrote:

> Re.
>
> There is no time difference between client and server.
>
> I checked the httpd error log and saw no errors.
> Same with the dirsrv error logs.
>
> Any other idea ?
>
> By looking at the  log, I'm wondering if this is a question of session ?
>
> See there :
> ###
> ipa: DEBUG: args=keyctl pipe 44063864
> ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
> Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
> Secure; HttpOnly
> ipa: DEBUG: stderr=
> ipa: DEBUG: found session_cookie in persistent storage for principal
> '@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584;
> Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
> Secure; HttpOnly'
> ipa: DEBUG: setting session_cookie into context
> 'ipa_session=26a7252e4853374fc7439eae5926c584;'
> ###
>
> At that time, it was not yet expired but there was only a few minuts
> before expiration (something like 10 minuts).
> What is this persistent storage which is mentioned in the logs ?
>
> Best regards.
>
> Bahan
>
>
>
> On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky 
> wrote:
>
>> On 10/25/2016 10:27 AM, bahan w wrote:
>>
>>> Hello everyone !
>>>
>>> I have an ipa server and an ipa client both in 3.0.0-47.
>>>
>>> In order to connect via SSH to the host of the ipa-client, I use root.
>>> When I'm connected to the ipa-client via ssh being root, I do a kinit of
>>> a user with a keytab :
>>> ###
>>> kinit -kt /etc/security/keytabs/.headless.keytab 
>>> ###
>>>
>>> And sometimes, once I have the TGT, when I do just an ipa user-show, I
>>> got the following error :
>>> ###
>>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>>> Error: Unspecified GSS failure.  Minor code may provide more information
>>> (Ticket expired)
>>> ###
>>>
>>> When I check the ticket, it is not expired :
>>> ###
>>> # klist
>>> Ticket cache: FILE:/tmp/krb5cc_root_
>>> Default principal: @
>>>
>>> Valid starting ExpiresService principal
>>> 10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
>>> ###
>>>
>>> Do you know from where it can come and how I can solve this error please
>>> ?
>>>
>>> Here is more information with the debug option :
>>> ###
>>> ipa -d user-show 
>>> ###
>>>
>>> Result :
>>> ###
>>> ipa: DEBUG: importing all plugin modules in
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
>>> ipa: DEBUG: importing plugin module
>>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
>>> ipa:

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread bahan w

Re.

There is no time difference between client and server.

I checked the httpd error log and saw no errors.
Same with the dirsrv error logs.

Any other idea ?

By looking at the  log, I'm wondering if this is a question of session ?

See there :
###
ipa: DEBUG: args=keyctl pipe 44063864
ipa: DEBUG: stdout=ipa_session=26a7252e4853374fc7439eae5926c584;
Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
Secure; HttpOnly
ipa: DEBUG: stderr=
ipa: DEBUG: found session_cookie in persistent storage for principal
'@', cookie: 'ipa_session=26a7252e4853374fc7439eae5926c584;
Domain=; Path=/ipa; Expires=Tue, 25 Oct 2016 08:15:09 GMT;
Secure; HttpOnly'
ipa: DEBUG: setting session_cookie into context 'ipa_session=
26a7252e4853374fc7439eae5926c584;'
###

At that time, it was not yet expired but there was only a few minuts before
expiration (something like 10 minuts).
What is this persistent storage which is mentioned in the logs ?

Best regards.

Bahan



On Tue, Oct 25, 2016 at 12:18 PM, Martin Babinsky 
wrote:

> On 10/25/2016 10:27 AM, bahan w wrote:
>
>> Hello everyone !
>>
>> I have an ipa server and an ipa client both in 3.0.0-47.
>>
>> In order to connect via SSH to the host of the ipa-client, I use root.
>> When I'm connected to the ipa-client via ssh being root, I do a kinit of
>> a user with a keytab :
>> ###
>> kinit -kt /etc/security/keytabs/.headless.keytab 
>> ###
>>
>> And sometimes, once I have the TGT, when I do just an ipa user-show, I
>> got the following error :
>> ###
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
>> Error: Unspecified GSS failure.  Minor code may provide more information
>> (Ticket expired)
>> ###
>>
>> When I check the ticket, it is not expired :
>> ###
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_root_
>> Default principal: @
>>
>> Valid starting ExpiresService principal
>> 10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
>> ###
>>
>> Do you know from where it can come and how I can solve this error please ?
>>
>> Here is more information with the debug option :
>> ###
>> ipa -d user-show 
>> ###
>>
>> Result :
>> ###
>> ipa: DEBUG: importing all plugin modules in
>> '/usr/lib/python2.6/site-packages/ipalib/plugins'...
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
>> ipa: DEBUG: importing plugin module
>> '/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
>> ipa: DEBUG: importing plugin module
>>

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread Martin Babinsky


On 10/25/2016 10:27 AM, bahan w wrote:

Hello everyone !

I have an ipa server and an ipa client both in 3.0.0-47.

In order to connect via SSH to the host of the ipa-client, I use root.
When I'm connected to the ipa-client via ssh being root, I do a kinit of
a user with a keytab :
###
kinit -kt /etc/security/keytabs/.headless.keytab 
###

And sometimes, once I have the TGT, when I do just an ipa user-show, I
got the following error :
###
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure.  Minor code may provide more information
(Ticket expired)
###

When I check the ticket, it is not expired :
###
# klist
Ticket cache: FILE:/tmp/krb5cc_root_
Default principal: @

Valid starting ExpiresService principal
10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
###

Do you know from where it can come and how I can solve this error please ?

Here is more information with the debug option :
###
ipa -d user-show 
###

Result :
###
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: DEBUG:

[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

2016-10-25 Thread bahan w

Hello everyone !

I have an ipa server and an ipa client both in 3.0.0-47.

In order to connect via SSH to the host of the ipa-client, I use root.
When I'm connected to the ipa-client via ssh being root, I do a kinit of a
user with a keytab :
###
kinit -kt /etc/security/keytabs/.headless.keytab 
###

And sometimes, once I have the TGT, when I do just an ipa user-show, I got
the following error :
###
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (Ticket
expired)
###

When I check the ticket, it is not expired :
###
# klist
Ticket cache: FILE:/tmp/krb5cc_root_
Default principal: @

Valid starting ExpiresService principal
10/25/16 10:00:44  10/26/16 10:00:44  krbtgt/@
###

Do you know from where it can come and how I can solve this error please ?

Here is more information with the debug option :
###
ipa -d user-show 
###

Result :
###
ipa: DEBUG: importing all plugin modules in
'/usr/lib/python2.6/site-packages/ipalib/plugins'...
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/aci.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automember.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/automount.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/baseldap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/batch.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/cert.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/config.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/delegation.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/dns.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/group.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacrule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbacsvcgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hbactest.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/host.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/hostgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/idrange.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/internal.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/kerberos.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/krbtpolicy.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/migration.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/misc.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/netgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/passwd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/permission.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/ping.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/privilege.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/pwpolicy.py'
ipa: DEBUG: args=klist -V
ipa: DEBUG: stdout=Kerberos 5 version 1.10.3

ipa: DEBUG: stderr=
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/role.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selfservice.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/service.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmd.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudocmdgroup.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/sudorule.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/trust.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/user.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/virtual.py'
ipa: DEBUG: importing plugin module
'/usr/lib/python2.6/site-packages/ipalib/plugins/xmlclient.py'
ipa: DEBUG: args=keyctl search @s user

[Freeipa-users] Insufficient access

2016-07-24 Thread mohammad sereshki

hiI got below error , when I tried to check certificates, 
I ran kinit admin before and it was okaywould you please help me ?


ipa cert-show 1-
ipa: ERROR: Insufficient access: not allowed to perform this command
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute

2012-01-09 Thread Rob Crittenden


Ivan Ferreira wrote:

Hi everybody. I’m testing ipa-server 2.1.3. I’m trying to create a
Certificate for vsftpd.

I can successfully create the certificate with the following command:

# ipa cert-request --add --principal=FTP/ftp.linux.com.py ftp.csr

But I want to create certificates with subjectAltName DNS extensions,
and it seems that is not possible through an openSSL CRS and dogtag.

So I deleted the service entry, then I created again using:

# ipa service-add FTP/ftp.linux.com.py

Then, I try to create the certificate using the following command:

# ipa-getcert request -k /etc/vsftpd/private/ftp.key -f
/etc/vsftpd/certs/ftp.crt -N cn=ftp.linux.com.py -D
cn=le-303.linux.com.py -D cn=ftp -D cn=le-303 -K FTP/ftp.linux.com.py

But I have the following error:

Request ID '20120108062420':

status: CA_REJECTED

ca-error: Server denied our request, giving up: 2100 (RPC failed at
server. Insufficient access: Insufficient 'write' privilege to the
'userCertificate' attribute of entry
'krbprincipalname=ftp/ftp.linux.com...@linux.com.py,cn=services,cn=accounts,dc=linux,dc=com,dc=py'.).

stuck: yes

key pair storage: type=FILE,location='/etc/vsftpd/private/ftp.key'

certificate: type=FILE,location='/etc/vsftpd/certs/ftp.crt'

CA: IPA

issuer:

subject:

expires: unknown

track: yes

auto-renew: yes

It looks like there is a problem with an ACI, or admin principal is not
having enough privileges.

¿Anyone gime me some hints?


ipa-getcert executes using the host principal of the machine it is 
running on. If you really want this machine to do the request you can 
add it as a manager to the service:


# ipa service-add-host --hosts=host_you_are_on FTP/ftp.linux.com.py
# ipa resubmit -i 20120108062420

If you don't want certmonger tracking this forever you can tell it to 
stop once the cert is generated with:


# ipa-getcert stop-tracking -i 20120108062420

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute

2012-01-09 Thread Ivan Ferreira

Thank you very much Rob for your time.

The problem is solved.

-Mensaje original-
De: Rob Crittenden [mailto:rcrit...@redhat.com]
Enviado el: lunes, 09 de enero de 2012 11:52 a.m.
Para: Ivan Ferreira
CC: freeipa-users@redhat.com
Asunto: Re: [Freeipa-users] Insufficient access: Insufficient 'write' privilege
to the 'userCertificate' attribute

Ivan Ferreira wrote:
Hi everybody. I'm testing ipa-server 2.1.3. I'm trying to create a
Certificate for vsftpd.

I can successfully create the certificate with the following command:

# ipa cert-request --add --principal=FTP/ftp.linux.com.py ftp.csr

But I want to create certificates with subjectAltName DNS extensions,
and it seems that is not possible through an openSSL CRS and dogtag.

So I deleted the service entry, then I created again using:

# ipa service-add FTP/ftp.linux.com.py

Then, I try to create the certificate using the following command:

# ipa-getcert request -k /etc/vsftpd/private/ftp.key -f
/etc/vsftpd/certs/ftp.crt -N cn=ftp.linux.com.py -D
cn=le-303.linux.com.py -D cn=ftp -D cn=le-303 -K
FTP/ftp.linux.com.py

But I have the following error:

Request ID '20120108062420':

status: CA_REJECTED

ca-error: Server denied our request, giving up: 2100 (RPC failed at
server. Insufficient access: Insufficient 'write' privilege to the
'userCertificate' attribute of entry
'krbprincipalname=ftp/ftp.linux.com...@linux.com.py,cn=services,cn=accounts,dc=linux,dc=com,dc=py'.).

stuck: yes

key pair storage: type=FILE,location='/etc/vsftpd/private/ftp.key'

certificate: type=FILE,location='/etc/vsftpd/certs/ftp.crt'

CA: IPA

issuer:

subject:

expires: unknown

track: yes

auto-renew: yes

It looks like there is a problem with an ACI, or admin principal is
not having enough privileges.

¿Anyone gime me some hints?

ipa-getcert executes using the host principal of the machine it is running on.
If you really want this machine to do the request you can add it as a manager
to the service:

# ipa service-add-host --hosts=host_you_are_on FTP/ftp.linux.com.py # ipa
resubmit -i 20120108062420

If you don't want certmonger tracking this forever you can tell it to stop once
the cert is generated with:

# ipa-getcert stop-tracking -i 20120108062420

rob

AVISO LEGAL: Esta información es privada y confidencial y está dirigida
únicamente a su destinatario. Si usted no es el destinatario original de este
mensaje y por este medio pudo acceder a dicha información por favor elimine el
mensaje. La distribución o copia de este mensaje está estrictamente prohibida.
Esta comunicación es sólo para propósitos de información y no debe ser
considerada como propuesta, aceptación ni como una declaración de voluntad
oficial de NUCLEO S.A. La transmisión de e-mails no garantiza que el correo
electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que
esta información sea completa o precisa. Toda información está sujeta a
alterarse sin previo aviso.

This information is private and confidential and intended for the recipient
only. If you are not the intended recipient of this message you are hereby
notified that any review, dissemination, distribution or copying of this
message is strictly prohibited. This communication is for information purposes
only and shall not be regarded neither as a proposal, acceptance nor as a
statement of will or official statement from NUCLEO S.A. . Email transmission
cannot be guaranteed to be secure or error-free. Therefore, we do not represent
that this information is complete or accurate and it should not be relied upon
as such. All information is subject to change without notice.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute

2012-01-07 Thread Ivan Ferreira

Hi everybody. I'm testing ipa-server 2.1.3. I'm trying to create a Certificate
for vsftpd.

I can successfully create the certificate with the following command:

# ipa cert-request --add --principal=FTP/ftp.linux.com.py ftp.csr

But I want to create certificates with subjectAltName DNS extensions, and it
seems that is not possible through an openSSL CRS and dogtag.

So I deleted the service entry, then I created again using:

# ipa service-add FTP/ftp.linux.com.py

Then, I try to create the certificate using the following command:

# ipa-getcert request -k /etc/vsftpd/private/ftp.key -f
/etc/vsftpd/certs/ftp.crt -N cn=ftp.linux.com.py -D cn=le-303.linux.com.py
-D cn=ftp -D cn=le-303 -K FTP/ftp.linux.com.py

But I have the following error:

Request ID '20120108062420':
status: CA_REJECTED
ca-error: Server denied our request, giving up: 2100 (RPC
failed at server. Insufficient access: Insufficient 'write' privilege to the
'userCertificate' attribute of entry
'krbprincipalname=ftp/ftp.linux.com...@linux.com.py,cn=services,cn=accounts,dc=linux,dc=com,dc=py'.).
stuck: yes
key pair storage:
type=FILE,location='/etc/vsftpd/private/ftp.key'
certificate: type=FILE,location='/etc/vsftpd/certs/ftp.crt'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes

It looks like there is a problem with an ACI, or admin principal is not having
enough privileges.

¿Anyone gime me some hints?

Thanks in advance.

Re: [Freeipa-users] Insufficient access during winsync agreement

2011-06-21 Thread Attila Bogár


On 20/06/11 16:37, Attila Bogár wrote:
I'm trying to set up the AD-FreeIPA sync agreement and I'm always 
getting this error:
# ipa-replica-manage connect --winsync --binddn cn=IPA 
Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert 
/root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v


This is solved now. Directory Manager password was missing from the 
command line. (-p).
admin user's privileges via kerberos are insufficient to set up a 
replica agreement as I see.


Could you please add this to the documentation example in the docs, I 
think upcoming users would appreciate this.


http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server

Thanks,
  Attila

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Insufficient access during winsync agreement

2011-06-21 Thread Simo Sorce

On Tue, 2011-06-21 at 10:01 +0100, Attila Bogár wrote:
 On 20/06/11 16:37, Attila Bogár wrote: 
  I'm trying to set up the AD-FreeIPA sync agreement and I'm always
  getting this error:
  # ipa-replica-manage connect --winsync --binddn cn=IPA
  Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007
  --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com
  -v
 
 This is solved now. Directory Manager password was missing from the
 command line. (-p).
 admin user's privileges via kerberos are insufficient to set up a
 replica agreement as I see.
 
 Could you please add this to the documentation example in the docs, I
 think upcoming users would appreciate this.
 
 http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server
 

If the command didn't give you an error it is a bug, can you please open
a ticket ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Insufficient access during winsync agreement

2011-06-20 Thread Attila Bogár


Hi,

I'm trying to set up the AD-FreeIPA sync agreement and I'm always 
getting this error:


# ipa-replica-manage connect --winsync --binddn cn=IPA 
Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert 
/root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v


Added CA certificate /root/dc1.cer to certificate database for 
ipa1.example.com

ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com
*Insufficient access*

Where does this insufficient access come from?
Can you please provide some guidance with this issue?


IPA Sync user on the AD side has Domain Admins, Enterprise Admins, 
Schema Admins group memberships.


I'm able to query the AD using ldapsearch and binding with the 
credentials and have an also an admin kerberos ticket.


On the other hand the documentation in the freeipa enterprise guide is 
rather succint than adequate as it doesn't provide at least one working 
example.


I've read all the corresponding documentation and it's still unclear 
what password do I have to specify with the --passsync to 
ipa-replica-manage?


the password for the Windows PassSync user, and a required argument to 
|ipa-replica-manage| when creating winsync agreements.  I can't see any 
documentation mentioning that a passync user has to (or being) created 
in the AD.
The bindpw already gives read/write permission to the AD tree, so I'm 
wondering why is this --passync required?


It's rather annoying to set up the passync on the Windows side.
The only documentation for this (what FreeIPA refers to) I can see is:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html

However, cn=sync,cn=config on the screenshot for the user name is 
misleading as full dn was working only for us.  I assume instead of 
ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has to 
be substituted (or it has to be cn=compat?)


Thanks for any help in advance,
  Attila

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Insufficient access during winsync agreement

2011-06-20 Thread Rich Megginson


On 06/20/2011 09:37 AM, Attila Bogár wrote:

Hi,

I'm trying to set up the AD-FreeIPA sync agreement and I'm always 
getting this error:


# ipa-replica-manage connect --winsync --binddn cn=IPA 
Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert 
/root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v


Added CA certificate /root/dc1.cer to certificate database for 
ipa1.example.com

ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com
*Insufficient access*

Where does this insufficient access come from?
Can you please provide some guidance with this issue?
Not sure.  First check the directory server access log - look for err=50 
around the time of your command - /var/log/dirsrv/slapd-YOUR-INSTANCE/access



IPA Sync user on the AD side has Domain Admins, Enterprise Admins, 
Schema Admins group memberships.


I'm able to query the AD using ldapsearch and binding with the 
credentials and have an also an admin kerberos ticket.


On the other hand the documentation in the freeipa enterprise guide is 
rather succint than adequate as it doesn't provide at least one 
working example.


I've read all the corresponding documentation and it's still unclear 
what password do I have to specify with the --passsync to 
ipa-replica-manage?


the password for the Windows PassSync user, and a required argument 
to |ipa-replica-manage| when creating winsync agreements.  I can't 
see any documentation mentioning that a passync user has to (or being) 
created in the AD.
The bindpw already gives read/write permission to the AD tree, so I'm 
wondering why is this --passync required?


It's rather annoying to set up the passync on the Windows side.
The only documentation for this (what FreeIPA refers to) I can see is:
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html

However, cn=sync,cn=config on the screenshot for the user name is 
misleading as full dn was working only for us.  I assume instead of 
ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has 
to be substituted (or it has to be cn=compat?)


Thanks for any help in advance,
  Attila


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

Re: [Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

[Freeipa-users] Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Ticket expired)

[Freeipa-users] Insufficient access

Re: [Freeipa-users] Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute

Re: [Freeipa-users] Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute

[Freeipa-users] Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute

Re: [Freeipa-users] Insufficient access during winsync agreement

Re: [Freeipa-users] Insufficient access during winsync agreement

[Freeipa-users] Insufficient access during winsync agreement

Re: [Freeipa-users] Insufficient access during winsync agreement

12 matches

Site Navigation

Mail list logo

Footer information