Johan Sunnerstig wrote:
Hi.

I have two IPA servers in a multi master setup, running IPA 3.0.
They've been working fine for the last ~16 months and started life as 2.2 
servers.
Recently the follow error started showing up, I'm not sure when exactly since I 
only discovered it when I was checking the status of an account the other day.

ipa1: ~> ipa user-status user
-----------------------
Account disabled: False
-----------------------
   Server: ipa1.domain.tld
   Failed logins: 0
   Last successful authentication: 2013-04-26T11:20:06Z
   Last failed authentication: 2013-04-26T08:44:08Z
   Time now: 2013-04-26T11:20:06Z

   Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic 
failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more 
information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)
----------------------------
Number of entries returned 2
----------------------------

The same exact thing happens on the other replica.

Everything else works as far as I can tell, replication is fine and either one 
will issue TGT's and so forth. Basically aside from the above I can't find 
anything wrong.
The following shows up in the krb5kdc.log on the both the servers:
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,  
HTTP/ipa1.domain....@domain.tld for ldap/ipa2.domain....@domain.tld, No such 
file or directory
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,  
HTTP/ipa1.domain....@domain.tld for ldap/ipa2.domain....@domain.tld, No such 
file or directory


One of the servers must be missing from the s4u2proxy delegation list.

Are all the servers in here?

# ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=example,dc=com

and

# ldapsearch -x -b cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=example,dc=com

I'm guessing that it is missing one or more memberPrincipal.

The format is be memberPrincipal: service/$FQDN@$REALM

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to