I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 is missing on both master and replica servers. Do we need to add IPA server 2, ipa02 on both master and replica?
*[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net <http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"* SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # s4u2proxy, etc, teloip.net dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: nsContainer objectClass: top cn: s4u2proxy # ipa-http-delegation, s4u2proxy, etc, teloip.net dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net *memberPrincipal: HTTP/[email protected] <[email protected]>* cn: ipa-http-delegation # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: groupOfPrincipals objectClass: top cn: ipa-cifs-delegation-targets # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: groupOfPrincipals objectClass: top *memberPrincipal: ldap/[email protected] <[email protected]>* cn: ipa-ldap-delegation-targets # search result search: 4 result: 0 Success # numResponses: 5 # numEntries: 4 [root@ipa01 ~]# *[root@ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://ipa02.teloip.net <http://ipa02.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"* SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # s4u2proxy, etc, teloip.net dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net cn: s4u2proxy objectClass: nsContainer objectClass: top # ipa-http-delegation, s4u2proxy, etc, teloip.net dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net cn: ipa-http-delegation *memberPrincipal: HTTP/[email protected] <[email protected]>* ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net ipaAllowedTarget: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net objectClass: ipaKrb5DelegationACL objectClass: groupOfPrincipals objectClass: top # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net cn: ipa-cifs-delegation-targets objectClass: groupOfPrincipals objectClass: top # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net cn: ipa-ldap-delegation-targets *memberPrincipal: ldap/[email protected] <[email protected]>* objectClass: groupOfPrincipals objectClass: top # search result search: 4 result: 0 Success # numResponses: 5 # numEntries: 4 [root@ipa02 ~]# Appreciate your help, Linov Suresh. On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <[email protected]> wrote: > Linov Suresh wrote: > >> Look like our issue is discussed here, and *is **missing one or more >> memberPrincipal*. >> >> https://www.redhat.com/archives/freeipa-users/2013-April/msg00228.html >> >> When I tried to add the Principal, I'm getting error, >> > > You didn't follow the instructions in the e-mail thread. The problem isn't > a principal that doesn't exist, it is a principal not in the delegation > list. Do the ldapsearch's and see what is missing (and you'll need to use > -Y GSSAPI instead of -x) then add it using ldapmodify. > > Only under very specific circumstances would I ever recommend using > kadmin.local. > > rob > > >> >> [root@ipa01 ~]# kadmin.local >> Authenticating as principal admin/[email protected] >> <mailto:[email protected]> with password. >> kadmin.local: addprinc -randkey HTTP/[email protected] >> <mailto:[email protected]> >> WARNING: no policy specified for HTTP/[email protected] >> <mailto:[email protected]>; defaulting to no policy >> add_principal: Principal or policy already exists while creating >> "HTTP/[email protected] <mailto:[email protected]>" >> >> [root@ipa01 ~]# kadmin.local >> Authenticating as principal admin/[email protected] >> <mailto:[email protected]> with password. >> kadmin.local: addprinc -randkey ldap/[email protected] >> <mailto:[email protected]> >> WARNING: no policy specified for ldap/[email protected] >> <mailto:[email protected]>; defaulting to no policy >> add_principal: Principal or policy already exists while creating >> "ldap/[email protected] <mailto:[email protected]>". >> >> Could you please help us to fix the "*KDC returned error string: >> NOT_ALLOWED_TO_DELEGATE*" error? >> >> >> [root@caer ~]# kadmin.local >> Authenticating as principal admin/[email protected] >> <mailto:[email protected]> with password. >> kadmin.local: addprinc -randkey HTTP/[email protected] >> <mailto:[email protected]> >> WARNING: no policy specified for HTTP/[email protected] >> <mailto:[email protected]>; defaulting to no policy >> add_principal: Principal or policy already exists while creating >> "HTTP/[email protected] <mailto:[email protected]>" >> >> >> >> >> >> >> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <[email protected] >> <mailto:[email protected]>> wrote: >> >> On 08/16/2016 09:25 AM, Petr Spacek wrote: >> > On 15.8.2016 20:18, Linov Suresh wrote: >> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA 3.0.0 >> >> >> >> >> >> We can only add the clients from IPA Server 01, not from IPA >> Server 02. >> >> When I tried to add the client from IPA Server 02, getting the >> error, >> >> >> >> >> >> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI >> Error: >> >> Unspecified GSS failure. Minor code may provide more information >> (KDC >> >> returned error string: NOT_ALLOWED_TO_DELEGATE) >> >> >> >> SASL/GSSAPI authentication started >> >> >> >> SASL username:[email protected] <mailto:[email protected]> >> >> >> >> SASL SSF: 56 >> >> >> >> SASL data security layer installed. >> >> >> >> ldap_modify: No such object (32) >> >> >> >> additional info: Range Check error >> >> >> >> modifying entry "fqdn=cpe-5061747522f9.example.net < >> http://cpe-5061747522f9.example.net> >> >> ,cn=computers,cn=accounts,dc=example,dc=net" >> >> >> >> >> >> Could you please help us to fix this? >> > >> > We need to see exact steps you did before we can give you any >> meaningful advice. >> > >> > Please have a look at >> > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html >> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html> >> > >> > It is a very nice document which describes general bug reporting >> procedure and >> > best practices. >> > >> > We will certainly have a look but we need first see the >> information :-) >> > >> >> Also, using IPA on RHEL-6.4 is discouraged. This is a really old >> release and >> there are known issues (in cert renewals for example). Using at >> least RHEL-6.8 >> or, even better, RHEL-7.2 is preferred and would help you avoid >> known issues >> and deficiencies (and the newer FreeIPA versions are way cooler >> anyway). >> >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
