We have FreeIPA 3.0.0 running on CentOS 6.4 and master-ipa01 (configured with --setup-ca option) and replica- ipa02 (configured without --setup-ca) option.
We use a script ipa clients to the server, when we tried to add new ipa clients, we are getting error, *ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)* What we have noticed is, memberPrincipal: HTTP/[email protected] missing on both master and replica servers IPA Master, [root@ipa01 ~]# ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net # extended LDIF # # LDAPv3 # base <cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # ipa-http-delegation, s4u2proxy, etc, teloip.net dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net memberPrincipal: HTTP/[email protected] cn: ipa-http-delegation # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@ipa01 ~]# IPA Replica, [root@ipa02 /]# ldapsearch -x -b cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net # extended LDIF # # LDAPv3 # base <cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # ipa-http-delegation, s4u2proxy, etc, teloip.net dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net cn: ipa-http-delegation memberPrincipal: HTTP/[email protected] ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Your help is highly appreciated, Linov Suresh.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
