Re: [Freeipa-users] ipa-dnskeysyncd ipa : ERROR Login to LDAP server failed: {'desc': 'Invalid credentials'}

Thu, 22 Dec 2016 04:27:08 -0800 

On Thu, 2016-12-22 at 08:24 +0100, Petr Spacek wrote:
> On 21.12.2016 21:36, Brian J. Murrell wrote:
> > Some additional information.  I can't seem to use the CLI either. 
> > Perhaps that is expected:
> > 
> > # kinit admin
> > Password for ad...@example.com:
> > 
> > # klist
> > Ticket cache: KEYRING:persistent:0:krb_ccache_3jm4X9m
> > Default principal: ad...@example.com
> > 
> > Valid starting     Expires            Service principal
> > 21/12/16 15:29:20  22/12/16 15:29:17  krbtgt/example....@example.com
> > 
> > # ipa host-find
> > ipa: ERROR: Insufficient access:  Invalid credentials
> > 
> > When I do that (the ipa host-find) /var/log/krb5kdc.log says:
> > 
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> > 1482352160, etypes {rep=18 tkt=18 ses=18}, ad...@example.com for 
> > HTTP/server.example....@example.com
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): TGS_REQ (6 etypes 
> > {18 17 16 23 25 26}) fd31:aeb1:48df:0:214:d1ff:fe13:45ac: ISSUE: authtime 
> > 1482352160, etypes {rep=18 tkt=18 ses=18}, 
> > HTTP/server.example....@example.com for ldap/server.example....@example.com
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): ... 
> > CONSTRAINED-DELEGATION s4u-client=ad...@example.com
> > Dec 21 15:29:28 server.example.com krb5kdc[13548](info): closing down fd 12
> > 
> > Not sure if that's helpful or not but it's something new (to me) so I
> > thought I would add it to the case.
> > 
> > Most unfortunately I need to access IPA to do some configuration
> > changes so this is getting more unfortunate than just some errors in a
> > log now.  :-(
> 
> Yes, this will be manifestation of the same problem. Interestingly the LDAP
> server should use the ds.keytab file instead of krb5.keytab.
> 
> We need someone from DS team of with deep Kerberos/gssproxy knowledge to look
> into it.
> 
> Simo, Ludwig, how can this happen?

As Martin said, incorrect configuration of DS makes it fall back to use
the default keytab. Either /etc/sysconfig/dirsrv or the DS systemd unit
file must specify the correct keytab in the KRB5_KTNAME environment
variable.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to