Look like our issue is discussed here, and *is **missing one or more memberPrincipal*.
https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html When I tried to add the Principal, I'm getting error, [root@ipa01 ~]# kadmin.local Authenticating as principal admin/ad...@teloip.net with password. kadmin.local: addprinc -randkey HTTP/ipa02.teloip....@teloip.net WARNING: no policy specified for HTTP/ipa02.teloip....@teloip.net; defaulting to no policy add_principal: Principal or policy already exists while creating "HTTP/ ipa02.teloip....@teloip.net" [root@ipa01 ~]# kadmin.local Authenticating as principal admin/ad...@teloip.net with password. kadmin.local: addprinc -randkey ldap/ipa02.teloip....@teloip.net WARNING: no policy specified for ldap/ipa02.teloip....@teloip.net; defaulting to no policy add_principal: Principal or policy already exists while creating "ldap/ ipa02.teloip....@teloip.net". Could you please help us to fix the "*KDC returned error string: NOT_ALLOWED_TO_DELEGATE*" error? [root@caer ~]# kadmin.local Authenticating as principal admin/ad...@teloip.net with password. kadmin.local: addprinc -randkey HTTP/neit.teloip....@teloip.net WARNING: no policy specified for HTTP/neit.teloip....@teloip.net; defaulting to no policy add_principal: Principal or policy already exists while creating "HTTP/ neit.teloip....@teloip.net" On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mko...@redhat.com> wrote: > On 08/16/2016 09:25 AM, Petr Spacek wrote: > > On 15.8.2016 20:18, Linov Suresh wrote: > >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0 > >> > >> > >> We can only add the clients from IPA Server 01, not from IPA Server 02. > >> When I tried to add the client from IPA Server 02, getting the error, > >> > >> > >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI > Error: > >> Unspecified GSS failure. Minor code may provide more information (KDC > >> returned error string: NOT_ALLOWED_TO_DELEGATE) > >> > >> SASL/GSSAPI authentication started > >> > >> SASL username: vp...@example.net > >> > >> SASL SSF: 56 > >> > >> SASL data security layer installed. > >> > >> ldap_modify: No such object (32) > >> > >> additional info: Range Check error > >> > >> modifying entry "fqdn=cpe-5061747522f9.example.net > >> ,cn=computers,cn=accounts,dc=example,dc=net" > >> > >> > >> Could you please help us to fix this? > > > > We need to see exact steps you did before we can give you any meaningful > advice. > > > > Please have a look at > > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html > > > > It is a very nice document which describes general bug reporting > procedure and > > best practices. > > > > We will certainly have a look but we need first see the information :-) > > > > Also, using IPA on RHEL-6.4 is discouraged. This is a really old release > and > there are known issues (in cert renewals for example). Using at least > RHEL-6.8 > or, even better, RHEL-7.2 is preferred and would help you avoid known > issues > and deficiencies (and the newer FreeIPA versions are way cooler anyway). >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project