Guy Matz wrote:
Sorry, should have mentioned that.  I had host principal and have since
added ldap:
# klist -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
    3 host/ipadevmstr.collmedia....@collmedia.net
    3 host/ipadevmstr.collmedia....@collmedia.net
    3 host/ipadevmstr.collmedia....@collmedia.net
    3 host/ipadevmstr.collmedia....@collmedia.net
    3 ldap/ipadevmstr.collmedia....@collmedia.net
    3 ldap/ipadevmstr.collmedia....@collmedia.net
    3 ldap/ipadevmstr.collmedia....@collmedia.net
    3 ldap/ipadevmstr.collmedia....@collmedia.net

I now get this error:
Insufficient access: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context Invalid credentials

with this in my krb5.log:
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: NEEDED_PREAUTH:
DNS/ipadevmstr.collmedia....@collmedia.net for
krbtgt/collmedia....@collmedia.net, Additional pre-authentication required
May 31 14:42:30 ipadevmstr.collmedia.net krb5kdc[4190](info): AS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025750, etypes
{rep=18 tkt=18 ses=18}, DNS/ipadevmstr.collmedia....@collmedia.net for
krbtgt/collmedia....@collmedia.net
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): TGS_REQ (4
etypes {18 17 16 23}) 192.168.8.111: ISSUE: authtime 1370025263, etypes
{rep=18 tkt=18 ses=18}, HTTP/ipadevmstr.collmedia....@collmedia.net for
ldap/ipadevmstr.collmedia....@collmedia.net
May 31 14:42:31 ipadevmstr.collmedia.net krb5kdc[4190](info): ...
CONSTRAINED-DELEGATION s4u-client=DNS/ipadevmstr.collmedia....@collmedia.net

Do I need to add DNS too?

I'm not quite sure what your goal is.

I thought you had created a user for the purpose of creating hosts and you wanted to delegate permissions to that user.

Is this what you've done? If so, what roles is the user a member of, and what privileges are associated with that role?

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to