Linov Suresh wrote:
Look like our issue is discussed here, and *is **missing one or more
memberPrincipal*.

https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html

When I tried to add the Principal, I'm getting error,

You didn't follow the instructions in the e-mail thread. The problem isn't a principal that doesn't exist, it is a principal not in the delegation list. Do the ldapsearch's and see what is missing (and you'll need to use -Y GSSAPI instead of -x) then add it using ldapmodify.

Only under very specific circumstances would I ever recommend using kadmin.local.

rob



[root@ipa01 ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net
<mailto:ad...@teloip.net> with password.
kadmin.local:  addprinc -randkey HTTP/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
WARNING: no policy specified for HTTP/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>; defaulting to no policy
add_principal: Principal or policy already exists while creating
"HTTP/ipa02.teloip....@teloip.net <mailto:ipa02.teloip....@teloip.net>"

[root@ipa01 ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net
<mailto:ad...@teloip.net> with password.
kadmin.local:  addprinc -randkey ldap/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
WARNING: no policy specified for ldap/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>; defaulting to no policy
add_principal: Principal or policy already exists while creating
"ldap/ipa02.teloip....@teloip.net <mailto:ipa02.teloip....@teloip.net>".

Could you please help us to fix the "*KDC returned error string:
NOT_ALLOWED_TO_DELEGATE*" error?


[root@caer ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net
<mailto:ad...@teloip.net> with password.
kadmin.local:  addprinc -randkey HTTP/neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>
WARNING: no policy specified for HTTP/neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>; defaulting to no policy
add_principal: Principal or policy already exists while creating
"HTTP/neit.teloip....@teloip.net <mailto:neit.teloip....@teloip.net>"






On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>> wrote:

    On 08/16/2016 09:25 AM, Petr Spacek wrote:
    > On 15.8.2016 20:18, Linov Suresh wrote:
    >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
    >>
    >>
    >> We can only add the clients from IPA Server 01, not from IPA Server 02.
    >> When I tried to add the client from IPA Server 02, getting the error,
    >>
    >>
    >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
    >> Unspecified GSS failure.  Minor code may provide more information (KDC
    >> returned error string: NOT_ALLOWED_TO_DELEGATE)
    >>
    >> SASL/GSSAPI authentication started
    >>
    >> SASL username:vp...@example.net <mailto:vp...@example.net>
    >>
    >> SASL SSF: 56
    >>
    >> SASL data security layer installed.
    >>
    >> ldap_modify: No such object (32)
    >>
    >>         additional info: Range Check error
    >>
    >> modifying entry "fqdn=cpe-5061747522f9.example.net 
<http://cpe-5061747522f9.example.net>
    >> ,cn=computers,cn=accounts,dc=example,dc=net"
    >>
    >>
    >> Could you please help us to fix this?
    >
     > We need to see exact steps you did before we can give you any
    meaningful advice.
     >
     > Please have a look at
     > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
    <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
     >
     > It is a very nice document which describes general bug reporting
    procedure and
     > best practices.
     >
     > We will certainly have a look but we need first see the
    information :-)
     >

    Also, using IPA on RHEL-6.4 is discouraged. This is a really old
    release and
    there are known issues (in cert renewals for example). Using at
    least RHEL-6.8
    or, even better, RHEL-7.2 is preferred and would help you avoid
    known issues
    and deficiencies (and the newer FreeIPA versions are way cooler anyway).





--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to