*[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net
<http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
SASL/GSSAPI authentication started
SASL username: ad...@teloip.net <mailto:ad...@teloip.net>
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: nsContainer
objectClass: top
cn: s4u2proxy
# ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
*memberPrincipal: HTTP/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
cn: ipa-http-delegation
# ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: groupOfPrincipals
objectClass: top
cn: ipa-cifs-delegation-targets
# ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: groupOfPrincipals
objectClass: top
*memberPrincipal: ldap/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
cn: ipa-ldap-delegation-targets
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 4
[root@ipa01 ~]#
*[root@ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://ipa02.teloip.net
<http://ipa02.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"*
SASL/GSSAPI authentication started
SASL username: ad...@teloip.net <mailto:ad...@teloip.net>
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: s4u2proxy
objectClass: nsContainer
objectClass: top
# ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net>
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-http-delegation
*memberPrincipal: HTTP/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
ipaAllowedTarget:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
ipaAllowedTarget:
cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
objectClass: ipaKrb5DelegationACL
objectClass: groupOfPrincipals
objectClass: top
# ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-cifs-delegation-targets
objectClass: groupOfPrincipals
objectClass: top
# ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net
<http://teloip.net>
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net
cn: ipa-ldap-delegation-targets
*memberPrincipal: ldap/ipa01.teloip....@teloip.net
<mailto:ipa01.teloip....@teloip.net>*
objectClass: groupOfPrincipals
objectClass: top
# search result
search: 4
result: 0 Success
# numResponses: 5
# numEntries: 4
[root@ipa02 ~]#
Appreciate your help,
Linov Suresh.
On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Linov Suresh wrote:
Look like our issue is discussed here, and *is **missing one or more
memberPrincipal*.
https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html
<https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html>
When I tried to add the Principal, I'm getting error,
You didn't follow the instructions in the e-mail thread. The problem
isn't a principal that doesn't exist, it is a principal not in the
delegation list. Do the ldapsearch's and see what is missing (and
you'll need to use -Y GSSAPI instead of -x) then add it using
ldapmodify.
Only under very specific circumstances would I ever recommend using
kadmin.local.
rob
[root@ipa01 ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net
<mailto:ad...@teloip.net>
<mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with password.
kadmin.local: addprinc -randkey
HTTP/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
<mailto:ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>>
WARNING: no policy specified for
HTTP/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
<mailto:ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>>; defaulting to no policy
add_principal: Principal or policy already exists while creating
"HTTP/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
<mailto:ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>>"
[root@ipa01 ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net
<mailto:ad...@teloip.net>
<mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with password.
kadmin.local: addprinc -randkey
ldap/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
<mailto:ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>>
WARNING: no policy specified for
ldap/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
<mailto:ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>>; defaulting to no policy
add_principal: Principal or policy already exists while creating
"ldap/ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>
<mailto:ipa02.teloip....@teloip.net
<mailto:ipa02.teloip....@teloip.net>>".
Could you please help us to fix the "*KDC returned error string:
NOT_ALLOWED_TO_DELEGATE*" error?
[root@caer ~]# kadmin.local
Authenticating as principal admin/ad...@teloip.net
<mailto:ad...@teloip.net>
<mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with password.
kadmin.local: addprinc -randkey HTTP/neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>
<mailto:neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>>
WARNING: no policy specified for HTTP/neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>
<mailto:neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>>; defaulting to no policy
add_principal: Principal or policy already exists while creating
"HTTP/neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>
<mailto:neit.teloip....@teloip.net
<mailto:neit.teloip....@teloip.net>>"
On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mko...@redhat.com
<mailto:mko...@redhat.com>
<mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote:
On 08/16/2016 09:25 AM, Petr Spacek wrote:
> On 15.8.2016 20:18, Linov Suresh wrote:
>> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0
>>
>>
>> We can only add the clients from IPA Server 01, not from
IPA Server 02.
>> When I tried to add the client from IPA Server 02,
getting the error,
>>
>>
>> ipa: ERROR: Insufficient access: SASL(-1): generic
failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more
information (KDC
>> returned error string: NOT_ALLOWED_TO_DELEGATE)
>>
>> SASL/GSSAPI authentication started
>>
>> SASL username:vp...@example.net
<mailto:username%3avp...@example.net> <mailto:vp...@example.net
<mailto:vp...@example.net>>
>>
>> SASL SSF: 56
>>
>> SASL data security layer installed.
>>
>> ldap_modify: No such object (32)
>>
>> additional info: Range Check error
>>
>> modifying entry "fqdn=cpe-5061747522f9.example.net
<http://cpe-5061747522f9.example.net>
<http://cpe-5061747522f9.example.net
<http://cpe-5061747522f9.example.net>>
>> ,cn=computers,cn=accounts,dc=example,dc=net"
>>
>>
>> Could you please help us to fix this?
>
> We need to see exact steps you did before we can give
you any
meaningful advice.
>
> Please have a look at
> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
<http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
<http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
<http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>>
>
> It is a very nice document which describes general bug
reporting
procedure and
> best practices.
>
> We will certainly have a look but we need first see the
information :-)
>
Also, using IPA on RHEL-6.4 is discouraged. This is a
really old
release and
there are known issues (in cert renewals for example). Using at
least RHEL-6.8
or, even better, RHEL-7.2 is preferred and would help you avoid
known issues
and deficiencies (and the newer FreeIPA versions are way
cooler anyway).