Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

Rob Crittenden Thu, 25 Aug 2016 12:54:26 -0700

Linov Suresh wrote:

I ran  ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02
  is missing on both master and replica servers. Do we need to add IPA
server 2, ipa02 on both master and replica?

No, it should replicate. I find it very strange that these are missing.I wonder what else wasn't setup when the replica was created.


In any case, this will add the entries:

# ldapmodify -Y GSSAPI
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
changetype: modify
add: memberPrincipal
memberPrincipal: HTTP/ipa02.teloip....@teloip.net

^D

# ldapmodify -Y GSAPI
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
hangetype: modify
add: memberPrincipal
memberPrincipal: ldap/ipa02.teloip....@teloip.net

^D

rob


*[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net
<http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
SASL/GSSAPI authentication started
SASL username: ad...@teloip.net <mailto:ad...@teloip.net>
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: nsContainer
objectClass: top
cn: s4u2proxy

# ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
*memberPrincipal: HTTP/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
cn: ipa-http-delegation

# ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets

# ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: groupOfPrincipals
objectClass: top
*memberPrincipal: ldap/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
cn: ipa-ldap-delegation-targets

# search result
search: 4
result: 0 Success

# numResponses: 5
# numEntries: 4
[root@ipa01 ~]#

*[root@ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://ipa02.teloip.net
<http://ipa02.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
SASL/GSSAPI authentication started
SASL username: ad...@teloip.net <mailto:ad...@teloip.net>
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: s4u2proxy
objectClass: nsContainer
objectClass: top

# ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-http-delegation
*memberPrincipal: HTTP/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top

# ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-cifs-delegation-targets
objectClass: groupOfPrincipals
objectClass: top

# ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-ldap-delegation-targets
*memberPrincipal: ldap/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
objectClass: groupOfPrincipals
objectClass: top

# search result
search: 4
result: 0 Success

# numResponses: 5
# numEntries: 4
[root@ipa02 ~]#

Appreciate your help,

Linov Suresh.



On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:

    Linov Suresh wrote:

        Look like our issue is discussed here, and *is **missing one or more
        memberPrincipal*.

        https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html
        <https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html>

        When I tried to add the Principal, I'm getting error,


    You didn't follow the instructions in the e-mail thread. The problem
    isn't a principal that doesn't exist, it is a principal not in the
    delegation list. Do the ldapsearch's and see what is missing (and
    you'll need to use -Y GSSAPI instead of -x) then add it using
    ldapmodify.

    Only under very specific circumstances would I ever recommend using
    kadmin.local.

    rob



        [root@ipa01 ~]# kadmin.local
        Authenticating as principal admin/ad...@teloip.net
        <mailto:ad...@teloip.net>
        <mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with password.
        kadmin.local:  addprinc -randkey
        HTTP/ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>
        <mailto:ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>>
        WARNING: no policy specified for
        HTTP/ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>
        <mailto:ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>>; defaulting to no policy
        add_principal: Principal or policy already exists while creating
        "HTTP/ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>
        <mailto:ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>>"

        [root@ipa01 ~]# kadmin.local
        Authenticating as principal admin/ad...@teloip.net
        <mailto:ad...@teloip.net>
        <mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with password.
        kadmin.local:  addprinc -randkey
        ldap/ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>
        <mailto:ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>>
        WARNING: no policy specified for
        ldap/ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>
        <mailto:ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>>; defaulting to no policy
        add_principal: Principal or policy already exists while creating
        "ldap/ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>
        <mailto:ipa02.teloip....@teloip.net
        <mailto:ipa02.teloip....@teloip.net>>".

        Could you please help us to fix the "*KDC returned error string:
        NOT_ALLOWED_TO_DELEGATE*" error?


        [root@caer ~]# kadmin.local
        Authenticating as principal admin/ad...@teloip.net
        <mailto:ad...@teloip.net>
        <mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with password.
        kadmin.local:  addprinc -randkey HTTP/neit.teloip....@teloip.net
        <mailto:neit.teloip....@teloip.net>
        <mailto:neit.teloip....@teloip.net
        <mailto:neit.teloip....@teloip.net>>
        WARNING: no policy specified for HTTP/neit.teloip....@teloip.net
        <mailto:neit.teloip....@teloip.net>
        <mailto:neit.teloip....@teloip.net
        <mailto:neit.teloip....@teloip.net>>; defaulting to no policy
        add_principal: Principal or policy already exists while creating
        "HTTP/neit.teloip....@teloip.net
        <mailto:neit.teloip....@teloip.net>
        <mailto:neit.teloip....@teloip.net
        <mailto:neit.teloip....@teloip.net>>"






        On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mko...@redhat.com
        <mailto:mko...@redhat.com>
        <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote:

             On 08/16/2016 09:25 AM, Petr Spacek wrote:
             > On 15.8.2016 20:18, Linov Suresh wrote:
             >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
             >>
             >>
             >> We can only add the clients from IPA Server 01, not from
        IPA Server 02.
             >> When I tried to add the client from IPA Server 02,
        getting the error,
             >>
             >>
             >> ipa: ERROR: Insufficient access: SASL(-1): generic
        failure: GSSAPI Error:
             >> Unspecified GSS failure.  Minor code may provide more
        information (KDC
             >> returned error string: NOT_ALLOWED_TO_DELEGATE)
             >>
             >> SASL/GSSAPI authentication started
             >>
             >> SASL username:vp...@example.net
        <mailto:username%3avp...@example.net> <mailto:vp...@example.net
        <mailto:vp...@example.net>>
             >>
             >> SASL SSF: 56
             >>
             >> SASL data security layer installed.
             >>
             >> ldap_modify: No such object (32)
             >>
             >>         additional info: Range Check error
             >>
             >> modifying entry "fqdn=cpe-5061747522f9.example.net
        <http://cpe-5061747522f9.example.net>
        <http://cpe-5061747522f9.example.net
        <http://cpe-5061747522f9.example.net>>
             >> ,cn=computers,cn=accounts,dc=example,dc=net"
             >>
             >>
             >> Could you please help us to fix this?
             >
              > We need to see exact steps you did before we can give
        you any
             meaningful advice.
              >
              > Please have a look at
              > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
        <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
             <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
        <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>>
              >
              > It is a very nice document which describes general bug
        reporting
             procedure and
              > best practices.
              >
              > We will certainly have a look but we need first see the
             information :-)
              >

             Also, using IPA on RHEL-6.4 is discouraged. This is a
        really old
             release and
             there are known issues (in cert renewals for example). Using at
             least RHEL-6.8
             or, even better, RHEL-7.2 is preferred and would help you avoid
             known issues
             and deficiencies (and the newer FreeIPA versions are way
        cooler anyway).


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] KDC returned error string: NOT_ALLOWED_TO_DELEGATE

Reply via email to