Hi. I have two IPA servers in a multi master setup, running IPA 3.0. They've been working fine for the last ~16 months and started life as 2.2 servers. Recently the follow error started showing up, I'm not sure when exactly since I only discovered it when I was checking the status of an account the other day.
ipa1: ~> ipa user-status user ----------------------- Account disabled: False ----------------------- Server: ipa1.domain.tld Failed logins: 0 Last successful authentication: 2013-04-26T11:20:06Z Last failed authentication: 2013-04-26T08:44:08Z Time now: 2013-04-26T11:20:06Z Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE) ---------------------------- Number of entries returned 2 ---------------------------- The same exact thing happens on the other replica. Everything else works as far as I can tell, replication is fine and either one will issue TGT's and so forth. Basically aside from the above I can't find anything wrong. The following shows up in the krb5kdc.log on the both the servers: Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain....@domain.tld for ldap/ipa2.domain....@domain.tld, No such file or directory Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0, HTTP/ipa1.domain....@domain.tld for ldap/ipa2.domain....@domain.tld, No such file or directory Any help would be appreciated. Regards Johan Sunnerstig _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users