On 03/18/2014 05:26 PM, Alexander Bokovoy wrote:
On Tue, 18 Mar 2014, Massimiliano Perrone (example.com) wrote:
The difference between the two calls is on the last TGS_REQ; because the first one is on ldap/olmo.example....@example.com and it's OK whereas the second one is on HTTP/olmo.example....@example.com that returns a 401 (I suppose).


Where's the error?
Am I correct that you have a user connecting to HTTP/ebano.example.com
and then HTTP/ebano.example.com wants to talk to HTTP/olmo.example.com
using credentials of the user?

FreeIPA uses constraint delegation of the credentials, with the help of
S4U2Proxy extension. You need to allow HTTP/ebano.example.com to delegate
credentials to HTTP/olmo.example.com.

I have written an article how to do that:
https://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html


Hi Alexander, thanks for your reply.
I read carefully your interesting post and I follow it to delegate HTTP/ebano.example.com credentials to HTTP/olmo.example.com.

Now, two questions:
1) How can I check that my configuration, now is ok? Because this ldapsearch returns result: 0

ldapsearch -Y GSSAPI -H ldap://olmo.example.com -b "cn=s4u2proxy,cn=etc,dc=example,dc=com" "cn=ipa-http-delegation-targets" dn
You need to create these delegation entries yourself, like the article
says. Note that your app talks to IPA server's HTTP service, so create

dn: cn=ebano-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation
memberPrincipal: HTTP/ebano.example....@example.com
ipaAllowedTarget: cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com

This entry says: "HTTP/ebano.example.com is allowed to delegate users'
credentials to whatever Kerberos principal is a member of
cn=ebano-http-delegation-targets group"

Now, this is the group:
dn: cn=ebano-http-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com
objectClass: groupOfPrincipals
objectClass: top
cn: ebano-http-delegation-targets
memberPrincipal: HTTP/olomo.example....@example.com

With these two entries we would have HTTP/ebano.example.com allowed to
delegate users' credentials to HTTP/olomo.example.com

Hi Alexander, thanks for your patience.
I followed your suggestions but the result is always the same.

Trying with curl, of course, it works.

My doubt now is why curl generates this log on kerberos server

mar 20 10:22:20 olmo.example.com krb5kdc[5091](info): TGS_REQ (1 etypes {18}) 192.168.0.105: ISSUE: authtime 1395301975, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for krbtgt/example....@example.com mar 20 10:22:21 olmo.example.com krb5kdc[5091](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.0.106: ISSUE: authtime 1395301975, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for ldap/olmo.example....@example.com

whereas java generates this other one

mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.105: NEEDED_PREAUTH: HTTP/ebano.example....@example.com for krbtgt/example....@example.com, Additional pre-authentication required mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.0.105: ISSUE: authtime 1395307449, etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example....@example.com for krbtgt/example....@example.com mar 20 10:24:09 olmo.example.com krb5kdc[5091](info): TGS_REQ (6 etypes {18 17 16 23 1 3}) 192.168.0.105: ISSUE: authtime 1395307449, etypes {rep=18 tkt=18 ses=18}, HTTP/ebano.example....@example.com for HTTP/olmo.example....@example.com

As you can see, the first one uses admin on ldap service, the second one uses HTTP/ebano.example.com on HTTP service.

Can I do the same call with Java?

I also attached LDAP log file of two calls.

Massi


You don't need to allow HTTP/olomo.example.com to further delegate
credentials to ldap/olomo.example.com because this entry already exists
-- each IPA master's HTTP service is allowed to delegate users'
credentials to own ldap/ service.

2) This time however I read also /var/log/httpd/error_log and I noticed this:
#############
[Tue Mar 18 16:38:14.117207 2014] [:error] [pid 11268] ipa: ERROR: 500 Internal Server Error: jsonserver_kerb.__call__: KRB5CCNAME not defined in HTTP request environment
#############
whereas LDAP logs are OK.
In your opinion, I have this error because of wrong environment configuration or other cause?
This is most likely because you have no Kerberos ticket available.




--
Massimiliano Perrone
Tel +39 393 9121310

Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.example.com

Apache Syncope PMC Member
http://people.apache.org/~massi/

"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)

[20/Mar/2014:10:10:14 +0100] conn=4 op=165 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ebano.tirasa....@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:10:14 +0100] conn=4 op=165 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=166 SRCH 
base="cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[20/Mar/2014:10:10:14 +0100] conn=4 op=166 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=167 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/tirasa....@tirasa.net)(krbPrincipalName=krbtgt/tirasa....@tirasa.net)))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:10:14 +0100] conn=4 op=167 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=168 SRCH 
base="cn=global_policy,cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars 
krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval 
krbPwdLockoutDuration"
[20/Mar/2014:10:10:14 +0100] conn=4 op=168 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=169 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ebano.tirasa....@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:10:14 +0100] conn=4 op=169 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=170 SRCH 
base="cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[20/Mar/2014:10:10:14 +0100] conn=4 op=170 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=171 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/tirasa....@tirasa.net)(krbPrincipalName=krbtgt/tirasa....@tirasa.net)))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:10:14 +0100] conn=4 op=171 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=172 SRCH 
base="cn=global_policy,cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars 
krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval 
krbPwdLockoutDuration"
[20/Mar/2014:10:10:14 +0100] conn=4 op=172 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=173 SRCH 
base="cn=ad,cn=trusts,dc=tirasa,dc=net" scope=2 
filter="(objectClass=ipaNTTrustedDomain)" attrs=ALL
[20/Mar/2014:10:10:14 +0100] conn=4 op=173 RESULT err=32 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=174 SRCH 
base="krbprincipalname=HTTP/ebano.tirasa....@tirasa.net,cn=services,cn=accounts,dc=tirasa,dc=net"
 scope=0 filter="(objectClass=*)" attrs="objectClass uid cn fqdn gidNumber 
krbPrincipalName krbCanonicalName krbTicketPolicyReference 
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference 
krbPrincipalType krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth 
krbLastFailedAuth krbLoginFailedCount krbLastAdminUnlock krbTicketFlags 
ipaNTSecurityIdentifier ipaNTLogonScript ipaNTProfilePath ipaNTHomeDirectory 
ipaNTHomeDirectoryDrive"
[20/Mar/2014:10:10:14 +0100] conn=4 op=174 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=175 SRCH 
base="cn=ebano.tirasa.net,cn=masters,cn=ipa,cn=etc,dc=tirasa,dc=net" scope=0 
filter="(objectClass=*)" attrs=ALL
[20/Mar/2014:10:10:14 +0100] conn=4 op=175 RESULT err=32 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=176 MOD 
dn="krbprincipalname=HTTP/ebano.tirasa....@tirasa.net,cn=services,cn=accounts,dc=tirasa,dc=net"
[20/Mar/2014:10:10:14 +0100] conn=4 op=176 RESULT err=0 tag=103 nentries=0 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=177 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/tirasa....@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:10:14 +0100] conn=4 op=177 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=178 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=HTTP/olmo.tirasa....@tirasa.net)(krbPrincipalName=HTTP/olmo.tirasa....@tirasa.net)))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:10:14 +0100] conn=4 op=178 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=179 SRCH 
base="cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[20/Mar/2014:10:10:14 +0100] conn=4 op=179 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=180 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=HTTP/ebano.tirasa....@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:10:14 +0100] conn=4 op=180 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:14 +0100] conn=4 op=181 SRCH 
base="cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[20/Mar/2014:10:10:14 +0100] conn=4 op=181 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:22 +0100] conn=6 op=13 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
filter="(certStatus=INVALID)" attrs="objectClass serialno notBefore notAfter 
duration extension subjectName userCertificate version algorithmId 
signingAlgorithmId publicKeyData"
[20/Mar/2014:10:10:22 +0100] conn=6 op=13 SORT notBefore 
[20/Mar/2014:10:10:22 +0100] conn=6 op=13 VLV 200:0:20140320101022Z 1:0 (0)
[20/Mar/2014:10:10:22 +0100] conn=6 op=13 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:10:22 +0100] conn=6 op=14 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
filter="(certStatus=VALID)" attrs="objectClass serialno notBefore notAfter 
duration extension subjectName userCertificate version algorithmId 
signingAlgorithmId publicKeyData"
[20/Mar/2014:10:10:22 +0100] conn=6 op=14 SORT notAfter 
[20/Mar/2014:10:10:22 +0100] conn=6 op=14 VLV 200:0:20140320101022Z 1:10 (0)
[20/Mar/2014:10:10:22 +0100] conn=6 op=14 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:22 +0100] conn=6 op=15 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=1 
filter="(certStatus=REVOKED)" attrs="objectClass revokedOn serialno revInfo 
notAfter notBefore duration extension subjectName userCertificate version 
algorithmId signingAlgorithmId publicKeyData"
[20/Mar/2014:10:10:22 +0100] conn=6 op=15 VLV 200:0:20140320101022Z 0:0 (0)
[20/Mar/2014:10:10:22 +0100] conn=6 op=15 RESULT err=0 tag=101 nentries=0 
etime=0 notes=U
[20/Mar/2014:10:10:22 +0100] conn=6 op=16 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[20/Mar/2014:10:10:22 +0100] conn=6 op=16 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:10:26 +0100] conn=14 op=4 SRCH base="ou=sessions,ou=Security 
Domain,o=ipaca" scope=2 filter="(objectClass=securityDomainSessionEntry)" 
attrs="cn"
[20/Mar/2014:10:10:26 +0100] conn=14 op=4 RESULT err=32 tag=101 nentries=0 
etime=0


[20/Mar/2014:10:09:18 +0100] conn=4 op=155 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/tirasa....@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:09:18 +0100] conn=4 op=155 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=4 op=156 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/tirasa....@tirasa.net)(krbPrincipalName=krbtgt/tirasa....@tirasa.net)))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:09:18 +0100] conn=4 op=156 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=4 op=157 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ad...@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:09:18 +0100] conn=4 op=157 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=4 op=158 SRCH 
base="cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[20/Mar/2014:10:09:18 +0100] conn=4 op=158 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=4 op=159 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=krbtgt/tirasa....@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:09:18 +0100] conn=4 op=159 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=19 fd=90 slot=90 connection from 
192.168.0.106 to 192.168.0.106
[20/Mar/2014:10:09:18 +0100] conn=4 op=160 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ldap/olmo.tirasa....@tirasa.net)(krbPrincipalName=ldap/olmo.tirasa....@tirasa.net)))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:09:18 +0100] conn=4 op=160 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=4 op=161 SRCH 
base="cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[20/Mar/2014:10:09:18 +0100] conn=4 op=161 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=4 op=162 SRCH base="dc=tirasa,dc=net" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=ad...@tirasa.net))"
 attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled 
krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration 
krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory 
krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth 
krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType objectClass"
[20/Mar/2014:10:09:18 +0100] conn=4 op=162 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=4 op=163 SRCH 
base="cn=TIRASA.NET,cn=kerberos,dc=tirasa,dc=net" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags"
[20/Mar/2014:10:09:18 +0100] conn=4 op=163 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:18 +0100] conn=19 op=0 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Mar/2014:10:09:18 +0100] conn=19 op=0 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Mar/2014:10:09:19 +0100] conn=19 op=1 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Mar/2014:10:09:19 +0100] conn=19 op=2 BIND dn="" method=sasl version=3 
mech=GSSAPI
[20/Mar/2014:10:09:19 +0100] conn=19 op=1 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[20/Mar/2014:10:09:19 +0100] conn=19 op=3 SRCH 
base="cn=ipaconfig,cn=etc,dc=tirasa,dc=net" scope=0 filter="(objectClass=*)" 
attrs=ALL
[20/Mar/2014:10:09:19 +0100] conn=19 op=2 RESULT err=0 tag=97 nentries=0 
etime=0 dn="uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net"
[20/Mar/2014:10:09:19 +0100] conn=19 op=3 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=4 SRCH base="cn=schema" scope=0 
filter="(objectClass=*)" attrs="attributeTypes objectClasses"
[20/Mar/2014:10:09:19 +0100] conn=19 op=4 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=5 SRCH 
base="cn=users,cn=accounts,dc=tirasa,dc=net" scope=1 
filter="(objectClass=posixaccount)" attrs="telephoneNumber sshpubkeyfp uid 
title loginShell * uidNumber gidNumber sn homeDirectory mail givenName 
nsAccountLock aci"
[20/Mar/2014:10:09:19 +0100] conn=19 op=5 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=6 SRCH 
base="cn=admins,cn=groups,cn=accounts,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=6 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=7 SRCH base="cn=replication 
administrators,cn=privileges,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=7 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=8 SRCH base="cn=add replication 
agreements,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=8 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=9 SRCH base="cn=modify replication 
agreements,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=9 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=10 SRCH base="cn=remove replication 
agreements,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=10 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=11 SRCH base="cn=modify dna 
range,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=11 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=12 SRCH base="cn=host 
enrollment,cn=privileges,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=12 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=13 SRCH base="cn=manage host 
keytab,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=13 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=14 SRCH base="cn=enroll a 
host,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=14 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=15 SRCH base="cn=add krbprincipalname 
to a host,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=15 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=16 SRCH base="cn=unlock user 
accounts,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=16 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=17 SRCH base="cn=manage service 
keytab,cn=permissions,cn=pbac,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=17 RESULT err=0 tag=101 nentries=0 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=18 SRCH base="cn=trust 
admins,cn=groups,cn=accounts,dc=tirasa,dc=net" scope=0 
filter="(|(member=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberHost=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net)(memberUser=uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net))"
 attrs="memberOf"
[20/Mar/2014:10:09:19 +0100] conn=19 op=18 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=19 SRCH 
base="uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net" scope=0 
filter="(userPassword=*)" attrs="userPassword"
[20/Mar/2014:10:09:19 +0100] conn=19 op=19 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=20 SRCH 
base="uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net" scope=0 
filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[20/Mar/2014:10:09:19 +0100] conn=19 op=20 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=21 SRCH 
base="uid=admin,cn=users,cn=accounts,dc=tirasa,dc=net" scope=0 
filter="(objectClass=*)" attrs="ipaSshPubKey"
[20/Mar/2014:10:09:19 +0100] conn=19 op=21 RESULT err=0 tag=101 nentries=1 
etime=0
[20/Mar/2014:10:09:19 +0100] conn=19 op=22 UNBIND
[20/Mar/2014:10:09:19 +0100] conn=19 op=22 fd=90 closed - U1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to