One of the FreeIPA replicas are not able to use the GSSAPI authentication to connect to ldap server on itself or any other FreeIPA server. I'm not sure why. I added example.com to just replace the actual domains, we're not using that. I really don't fully understand how the krbprincipalname is used but as a thought I think maybe we have 2 ldap/ krbbprincipal names for this host/service and it's using the wrong one for the mapping.
ipa-server-4.5.0 eu-ipa-02.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 ipa-001.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsdfw-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsiad-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 [root@eu-ipa-01 ~]# klist -ke /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 ldap/eu-ipa-01.example....@example.com (aes256-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example....@example.com (aes128-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example....@example.com (des3-cbc-sha1) 2 ldap/eu-ipa-01.example....@example.com (arcfour-hmac) 2 ldap/eu-ipa-01.example....@example.com (camellia128-cts-cmac) 2 ldap/eu-ipa-01.example....@example.com (camellia256-cts-cmac) ldapsearch -h eu-ipa-01.example.com -D "cn=directory manager" -W -b "dc=example,dc=com" '(krbprincipalname=ldap/eu-ipa-01*)' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (krbprincipalname=ldap/eu-ipa-01*) # requesting: ALL # # ldap/eu-ipa-01.example....@example.com, services, accounts, example.com dn: krbprincipalname=ldap/eu-ipa-01.example....@example.com ,cn=services,cn=accou nts,dc=example,dc=com krbLastSuccessfulAuth: 20180411141738Z ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=example,dc=ne t memberOf: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example....@example.com userCertificate:: krbExtraData:: krbPrincipalKey:: krbLoginFailedCount: 0 krbLastPwdChange: 20170718043248Z krbCanonicalName: ldap/eu-ipa-01.example....@example.com objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal objectClass: ipaallowedoperations managedBy: fqdn=eu-ipa-01.example.com ,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example....@example.com ipaUniqueID: 26d525e0-6b72-11e7-803b-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com # ldap/eu-ipa-01.example....@example.com + d07bbe98-65a111e7-8454f4db-22f31cc6, s ervices, accounts, example.com dn: krbprincipalname=ldap/eu-ipa-01.example....@example.com +nsuniqueid=d07bbe98- 65a111e7-8454f4db-22f31cc6,cn=services,cn=accounts,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example....@example.com userCertificate:: krbExtraData:: krbPrincipalKey:: krbLastPwdChange: 20170710185854Z krbCanonicalName: ldap/eu-ipa-01.example....@example.com objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal managedBy: fqdn=eu-ipa-01.example.com ,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example....@example.com ipaUniqueID: d1f75da2-65a1-11e7-b431-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 Is this 2nd result the one it's trying to use and it has the wrong password associated with it? [11/Apr/2018:12:06:08.426926060 +0100] conn=137434 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.431094978 +0100] conn=137434 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.431544044 +0100] conn=137434 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.432833552 +0100] conn=137434 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.432981174 +0100] conn=137434 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.433457303 +0100] conn=137434 op=3 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-14): authorization failure: [11/Apr/2018:12:06:08.433918022 +0100] conn=137434 op=4 UNBIND [11/Apr/2018:12:06:08.433934070 +0100] conn=137434 op=4 fd=229 closed - U1 Any help would be most appreciated. Thank you. -- IMPORTANT: This e-mail (including any attachments) is intended for the use of the individual or entity to which it is addressed and may contain information that is classified, private, or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. Thank you.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org