One of the FreeIPA replicas are not able to use the GSSAPI
authentication to connect to ldap server on itself or any other FreeIPA
server. I'm not sure why. I added example.com <http://example.com> to
just replace the actual domains, we're not using that. I really don't
fully understand how the krbprincipalname is used but as a thought I
think maybe we have 2 ldap/ krbbprincipal names for this host/service
and it's using the wrong one for the mapping.
ipa-server-4.5.0
eu-ipa-02.example.com <http://eu-ipa-02.example.com>: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (49) Problem connecting to replica - LDAP
error: Invalid credentials (connection error)
last update ended: 1970-01-01 00:00:00+00:00
ipa-001.example.com <http://ipa-001.example.com>: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (49) Problem connecting to replica - LDAP
error: Invalid credentials (connection error)
last update ended: 1970-01-01 00:00:00+00:00
rsdfw-ipa-01.example.com <http://rsdfw-ipa-01.example.com>: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (49) Problem connecting to replica - LDAP
error: Invalid credentials (connection error)
last update ended: 1970-01-01 00:00:00+00:00
rsiad-ipa-01.example.com <http://rsiad-ipa-01.example.com>: replica
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (49) Problem connecting to replica - LDAP
error: Invalid credentials (connection error)
last update ended: 1970-01-01 00:00:00+00:00
[root@eu-ipa-01 ~]# klist -ke /etc/dirsrv/ds.keytab
Keytab name: FILE:/etc/dirsrv/ds.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com> (aes256-cts-hmac-sha1-96)
2 ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com> (aes128-cts-hmac-sha1-96)
2 ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com> (des3-cbc-sha1)
2 ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com> (arcfour-hmac)
2 ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com> (camellia128-cts-cmac)
2 ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com> (camellia256-cts-cmac)
ldapsearch -h eu-ipa-01.example.com <http://eu-ipa-01.example.com> -D
"cn=directory manager" -W -b "dc=example,dc=com"
'(krbprincipalname=ldap/eu-ipa-01*)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (krbprincipalname=ldap/eu-ipa-01*)
# requesting: ALL
#
# ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>, services, accounts,
example.com <http://example.com>
dn: krbprincipalname=ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>,cn=services,cn=accou
nts,dc=example,dc=com
krbLastSuccessfulAuth: 20180411141738Z
ipaAllowedToPerform;read_keys:
cn=admins,cn=groups,cn=accounts,dc=example,dc=ne
t
memberOf: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com
ipaKrbPrincipalAlias: ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>
userCertificate::
krbExtraData::
krbPrincipalKey::
krbLoginFailedCount: 0
krbLastPwdChange: 20170718043248Z
krbCanonicalName: ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>
objectClass: ipaobject
objectClass: top
objectClass: ipaservice
objectClass: pkiuser
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: krbTicketPolicyAux
objectClass: ipakrbprincipal
objectClass: ipaallowedoperations
managedBy: fqdn=eu-ipa-01.example.com
<http://eu-ipa-01.example.com>,cn=computers,cn=accounts,dc=example,dc=com
krbPrincipalName: ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>
ipaUniqueID: 26d525e0-6b72-11e7-803b-0643f376e57a
krbPwdPolicyReference: cn=Default Service Password
Policy,cn=services,cn=accou
nts,dc=example,dc=com
# ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com> +
d07bbe98-65a111e7-8454f4db-22f31cc6, s
ervices, accounts, example.com <http://example.com>
dn: krbprincipalname=ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>+nsuniqueid=d07bbe98-
65a111e7-8454f4db-22f31cc6,cn=services,cn=accounts,dc=example,dc=com
ipaKrbPrincipalAlias: ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>
userCertificate::
krbExtraData::
krbPrincipalKey::
krbLastPwdChange: 20170710185854Z
krbCanonicalName: ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>
objectClass: ipaobject
objectClass: top
objectClass: ipaservice
objectClass: pkiuser
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: krbTicketPolicyAux
objectClass: ipakrbprincipal
managedBy: fqdn=eu-ipa-01.example.com
<http://eu-ipa-01.example.com>,cn=computers,cn=accounts,dc=example,dc=com
krbPrincipalName: ldap/eu-ipa-01.example....@example.com
<mailto:eu-ipa-01.example....@example.com>
ipaUniqueID: d1f75da2-65a1-11e7-b431-0643f376e57a
krbPwdPolicyReference: cn=Default Service Password
Policy,cn=services,cn=accou
nts,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Is this 2nd result the one it's trying to use and it has the wrong
password associated with it?
[11/Apr/2018:12:06:08.426926060 +0100] conn=137434 op=1 BIND dn=""
method=sasl version=3 mech=GSSAPI
[11/Apr/2018:12:06:08.431094978 +0100] conn=137434 op=1 RESULT err=14
tag=97 nentries=0 etime=0, SASL bind in progress
[11/Apr/2018:12:06:08.431544044 +0100] conn=137434 op=2 BIND dn=""
method=sasl version=3 mech=GSSAPI
[11/Apr/2018:12:06:08.432833552 +0100] conn=137434 op=2 RESULT err=14
tag=97 nentries=0 etime=0, SASL bind in progress
[11/Apr/2018:12:06:08.432981174 +0100] conn=137434 op=3 BIND dn=""
method=sasl version=3 mech=GSSAPI
[11/Apr/2018:12:06:08.433457303 +0100] conn=137434 op=3 RESULT err=49
tag=97 nentries=0 etime=0 - SASL(-14): authorization failure:
[11/Apr/2018:12:06:08.433918022 +0100] conn=137434 op=4 UNBIND
[11/Apr/2018:12:06:08.433934070 +0100] conn=137434 op=4 fd=229 closed - U1
Any help would be most appreciated. Thank you.
IMPORTANT: This e-mail (including any attachments) is intended for the
use of the individual or entity to which it is addressed and may contain
information that is classified, private, or confidential. If the reader
of this message is not the intended recipient, or the employee or agent
responsible for delivering the message to the intended recipient, you
are hereby notified that any dissemination, distribution, or copying of
this communication is prohibited. If you have received this
communication in error, please notify us immediately by replying to this
e-mail. Thank you.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
