We have FreeIPA 3.0.0 running on CentOS 6.4 and master-ipa01 (configured
with --setup-ca option) and replica- ipa02 (configured without --setup-ca)
option.

We use a script ipa clients to the server, when we tried to add new ipa
clients, we are getting error,

*ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure.  Minor code may provide more information (KDC
returned error string: NOT_ALLOWED_TO_DELEGATE)*

What we have noticed is, memberPrincipal: HTTP/ipa02.teloip....@teloip.net
missing on both master and replica servers

IPA Master,

[root@ipa01 ~]# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
# extended LDIF
#
# LDAPv3
# base <cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ipa-http-delegation, s4u2proxy, etc, teloip.net
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
memberPrincipal: HTTP/ipa01.teloip....@teloip.net
cn: ipa-http-delegation

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@ipa01 ~]#

IPA Replica,

[root@ipa02 /]# ldapsearch -x -b
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
# extended LDIF
#
# LDAPv3
# base <cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ipa-http-delegation, s4u2proxy, etc, teloip.net
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-http-delegation
memberPrincipal: HTTP/ipa01.teloip....@teloip.net
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Your help is highly appreciated,

Linov Suresh.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to