> On 20 Mar 2024, at 16:38, Ian Kumlien <[email protected]> wrote: > > On Wed, Mar 20, 2024 at 3:52 PM Ian Kumlien <[email protected]> wrote: >> >>> On Wed, Mar 20, 2024 at 11:21 AM Florence Blanc-Renaud <[email protected]> >>> wrote: >>> >>> Hi, >>> >>> On Wed, Mar 20, 2024 at 10:00 AM Ian Kumlien <[email protected]> wrote: >>>> >>>> On Wed, Mar 20, 2024 at 9:45 AM Ian Kumlien <[email protected]> wrote: >>>>> >>>>> So... this one's new: >>>>> >>>>> Connection to https://freeipa-1.xerces.lan/ipa/json failed with >>>>> Insufficient access: SASL(-1): generic failure: GSSAPI Error: >>>>> Unspecified GSS failure. Minor code may provide more information >>>>> (Credential cache is empty) >>> >>> >>> this one can happen if you have an existing ticket in your cache, for >>> instance from a previous installation, but that is not valid anymore. >> >> Ah, ok, i did do kdestroy -A but only on the new machine... >> >> A new issue that appeared, no user from the old machines can >> authenticate at all - still looking in to why it doesn't work > > Disabling MS-PAC fixed this issue, will have to dig in to why it was later =) > > Any clues? Your users are probably missing a SID. Run ipa config-mod —enable-sid —add-sids and check with ipa user-show —all —raw that they contain an ipantsecurityidentifier attribute.
HTH, flo > >>> flo >>>> >>>>> --- >>>>> >>>>> Just haven't seen it before... and it seems like the replica can't >>>>> install, unlike the two that worked before... >>>> >>>> And all of the sudden it just works again... weird... >>>> > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
