Hi.
I have two IPA servers in a multi master setup, running IPA 3.0.
They've been working fine for the last ~16 months and started life as 2.2
servers.
Recently the follow error started showing up, I'm not sure when exactly since I
only discovered it when I was checking the status of an account the other day.
ipa1: ~> ipa user-status user
-----------------------
Account disabled: False
-----------------------
Server: ipa1.domain.tld
Failed logins: 0
Last successful authentication: 2013-04-26T11:20:06Z
Last failed authentication: 2013-04-26T08:44:08Z
Time now: 2013-04-26T11:20:06Z
Server: ipa2.domain.tld failed: Insufficient access: SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more
information (KDC returned error string: NOT_ALLOWED_TO_DELEGATE)
----------------------------
Number of entries returned 2
----------------------------
The same exact thing happens on the other replica.
Everything else works as far as I can tell, replication is fine and either one
will issue TGT's and so forth. Basically aside from the above I can't find
anything wrong.
The following shows up in the krb5kdc.log on the both the servers:
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,
HTTP/ipa1.domain....@domain.tld for ldap/ipa2.domain....@domain.tld, No such
file or directory
Apr 26 13:37:09 ipa1.domain.tld krb5kdc[26612](info): TGS_REQ (4 etypes {18 17
16 23}) x.x.x.x: NOT_ALLOWED_TO_DELEGATE: authtime 0,
HTTP/ipa1.domain....@domain.tld for ldap/ipa2.domain....@domain.tld, No such
file or directory
Any help would be appreciated.
Regards
Johan Sunnerstig
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
