Great! That worked. Thank you so much Rob. Your help is highly appreciated.
On Thu, Aug 25, 2016 at 3:49 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Linov Suresh wrote: > >> I ran ldapsearch -Y GSSAPI, what we are seeing is IPA server 2, ipa02 >> is missing on both master and replica servers. Do we need to add IPA >> server 2, ipa02 on both master and replica? >> > > No, it should replicate. I find it very strange that these are missing. I > wonder what else wasn't setup when the replica was created. > > In any case, this will add the entries: > > # ldapmodify -Y GSSAPI > dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net > changetype: modify > add: memberPrincipal > memberPrincipal: HTTP/ipa02.teloip....@teloip.net > > ^D > > # ldapmodify -Y GSAPI > dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net > hangetype: modify > add: memberPrincipal > memberPrincipal: ldap/ipa02.teloip....@teloip.net > > ^D > > rob > >> >> *[root@ipa01 ~]# ldapsearch -Y GSSAPI -H ldap://ipa01.teloip.net >> <http://ipa01.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"* >> SASL/GSSAPI authentication started >> SASL username: ad...@teloip.net <mailto:ad...@teloip.net> >> SASL SSF: 56 >> SASL data security layer installed. >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # s4u2proxy, etc, teloip.net <http://teloip.net> >> dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> objectClass: nsContainer >> objectClass: top >> cn: s4u2proxy >> >> # ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net> >> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> objectClass: ipaKrb5DelegationACL >> objectClass: groupOfPrincipals >> objectClass: top >> ipaAllowedTarget: >> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> ipaAllowedTarget: >> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> *memberPrincipal: HTTP/ipa01.teloip....@teloip.net >> <mailto:ipa01.teloip....@teloip.net>* >> cn: ipa-http-delegation >> >> # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net >> <http://teloip.net> >> dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> objectClass: groupOfPrincipals >> objectClass: top >> cn: ipa-cifs-delegation-targets >> >> # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net >> <http://teloip.net> >> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> objectClass: groupOfPrincipals >> objectClass: top >> *memberPrincipal: ldap/ipa01.teloip....@teloip.net >> <mailto:ipa01.teloip....@teloip.net>* >> cn: ipa-ldap-delegation-targets >> >> # search result >> search: 4 >> result: 0 Success >> >> # numResponses: 5 >> # numEntries: 4 >> [root@ipa01 ~]# >> >> *[root@ipa02 ~]# ldapsearch -Y GSSAPI -H ldap://ipa02.teloip.net >> <http://ipa02.teloip.net> -b "cn=s4u2proxy,cn=etc,dc=teloip,dc=net"* >> SASL/GSSAPI authentication started >> SASL username: ad...@teloip.net <mailto:ad...@teloip.net> >> SASL SSF: 56 >> SASL data security layer installed. >> # extended LDIF >> # >> # LDAPv3 >> # base <cn=s4u2proxy,cn=etc,dc=teloip,dc=net> with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # s4u2proxy, etc, teloip.net <http://teloip.net> >> dn: cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> cn: s4u2proxy >> objectClass: nsContainer >> objectClass: top >> >> # ipa-http-delegation, s4u2proxy, etc, teloip.net <http://teloip.net> >> dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> cn: ipa-http-delegation >> *memberPrincipal: HTTP/ipa01.teloip....@teloip.net >> <mailto:ipa01.teloip....@teloip.net>* >> ipaAllowedTarget: >> cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> ipaAllowedTarget: >> cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> objectClass: ipaKrb5DelegationACL >> objectClass: groupOfPrincipals >> objectClass: top >> >> # ipa-cifs-delegation-targets, s4u2proxy, etc, teloip.net >> <http://teloip.net> >> dn: cn=ipa-cifs-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> cn: ipa-cifs-delegation-targets >> objectClass: groupOfPrincipals >> objectClass: top >> >> # ipa-ldap-delegation-targets, s4u2proxy, etc, teloip.net >> <http://teloip.net> >> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=teloip,dc=net >> cn: ipa-ldap-delegation-targets >> *memberPrincipal: ldap/ipa01.teloip....@teloip.net >> <mailto:ipa01.teloip....@teloip.net>* >> objectClass: groupOfPrincipals >> objectClass: top >> >> # search result >> search: 4 >> result: 0 Success >> >> # numResponses: 5 >> # numEntries: 4 >> [root@ipa02 ~]# >> >> Appreciate your help, >> >> Linov Suresh. >> >> >> >> On Wed, Aug 24, 2016 at 4:32 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >> Linov Suresh wrote: >> >> Look like our issue is discussed here, and *is **missing one or >> more >> memberPrincipal*. >> >> https://www.redhat.com/archives/freeipa-users/2013-April/ >> msg00228.html >> <https://www.redhat.com/archives/freeipa-users/2013-April/ >> msg00228.html> >> >> When I tried to add the Principal, I'm getting error, >> >> >> You didn't follow the instructions in the e-mail thread. The problem >> isn't a principal that doesn't exist, it is a principal not in the >> delegation list. Do the ldapsearch's and see what is missing (and >> you'll need to use -Y GSSAPI instead of -x) then add it using >> ldapmodify. >> >> Only under very specific circumstances would I ever recommend using >> kadmin.local. >> >> rob >> >> >> >> [root@ipa01 ~]# kadmin.local >> Authenticating as principal admin/ad...@teloip.net >> <mailto:ad...@teloip.net> >> <mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with >> password. >> kadmin.local: addprinc -randkey >> HTTP/ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net> >> <mailto:ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net>> >> WARNING: no policy specified for >> HTTP/ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net> >> <mailto:ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net>>; defaulting to no policy >> add_principal: Principal or policy already exists while creating >> "HTTP/ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net> >> <mailto:ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net>>" >> >> [root@ipa01 ~]# kadmin.local >> Authenticating as principal admin/ad...@teloip.net >> <mailto:ad...@teloip.net> >> <mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with >> password. >> kadmin.local: addprinc -randkey >> ldap/ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net> >> <mailto:ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net>> >> WARNING: no policy specified for >> ldap/ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net> >> <mailto:ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net>>; defaulting to no policy >> add_principal: Principal or policy already exists while creating >> "ldap/ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net> >> <mailto:ipa02.teloip....@teloip.net >> <mailto:ipa02.teloip....@teloip.net>>". >> >> Could you please help us to fix the "*KDC returned error string: >> NOT_ALLOWED_TO_DELEGATE*" error? >> >> >> [root@caer ~]# kadmin.local >> Authenticating as principal admin/ad...@teloip.net >> <mailto:ad...@teloip.net> >> <mailto:ad...@teloip.net <mailto:ad...@teloip.net>> with >> password. >> kadmin.local: addprinc -randkey HTTP/neit.teloip....@teloip.net >> <mailto:neit.teloip....@teloip.net> >> <mailto:neit.teloip....@teloip.net >> <mailto:neit.teloip....@teloip.net>> >> WARNING: no policy specified for HTTP/neit.teloip....@teloip.net >> <mailto:neit.teloip....@teloip.net> >> <mailto:neit.teloip....@teloip.net >> <mailto:neit.teloip....@teloip.net>>; defaulting to no policy >> add_principal: Principal or policy already exists while creating >> "HTTP/neit.teloip....@teloip.net >> <mailto:neit.teloip....@teloip.net> >> <mailto:neit.teloip....@teloip.net >> <mailto:neit.teloip....@teloip.net>>" >> >> >> >> >> >> >> On Tue, Aug 16, 2016 at 7:58 AM, Martin Kosek <mko...@redhat.com >> <mailto:mko...@redhat.com> >> <mailto:mko...@redhat.com <mailto:mko...@redhat.com>>> wrote: >> >> On 08/16/2016 09:25 AM, Petr Spacek wrote: >> > On 15.8.2016 20:18, Linov Suresh wrote: >> >> We have IPA replica set up in RHEL 6.4 and is FreeIPA >> 3.0.0 >> >> >> >> >> >> We can only add the clients from IPA Server 01, not from >> IPA Server 02. >> >> When I tried to add the client from IPA Server 02, >> getting the error, >> >> >> >> >> >> ipa: ERROR: Insufficient access: SASL(-1): generic >> failure: GSSAPI Error: >> >> Unspecified GSS failure. Minor code may provide more >> information (KDC >> >> returned error string: NOT_ALLOWED_TO_DELEGATE) >> >> >> >> SASL/GSSAPI authentication started >> >> >> >> SASL username:vp...@example.net >> <mailto:username%3avp...@example.net> <mailto:vp...@example.net >> <mailto:vp...@example.net>> >> >> >> >> SASL SSF: 56 >> >> >> >> SASL data security layer installed. >> >> >> >> ldap_modify: No such object (32) >> >> >> >> additional info: Range Check error >> >> >> >> modifying entry "fqdn=cpe-5061747522f9.example.net >> <http://cpe-5061747522f9.example.net> >> <http://cpe-5061747522f9.example.net >> >> <http://cpe-5061747522f9.example.net>> >> >> ,cn=computers,cn=accounts,dc=example,dc=net" >> >> >> >> >> >> Could you please help us to fix this? >> > >> > We need to see exact steps you did before we can give >> you any >> meaningful advice. >> > >> > Please have a look at >> > http://www.chiark.greenend.org.uk/~sgtatham/bugs.html >> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html> >> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html >> <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>> >> > >> > It is a very nice document which describes general bug >> reporting >> procedure and >> > best practices. >> > >> > We will certainly have a look but we need first see the >> information :-) >> > >> >> Also, using IPA on RHEL-6.4 is discouraged. This is a >> really old >> release and >> there are known issues (in cert renewals for example). Using >> at >> least RHEL-6.8 >> or, even better, RHEL-7.2 is preferred and would help you >> avoid >> known issues >> and deficiencies (and the newer FreeIPA versions are way >> cooler anyway). >> >> >> >> >> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
