[Freeipa-users] GSSAPI Failure

Simo Sorce ssorce at redhat.com
Fri Nov 14 05:05:21 UTC 2008 

On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote:
> Simo Sorce пишет:
> > On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote:
> >> Unfortunately it doesn't change my situation.
> >>
> >> So is it the dead end?
> > 
> > Have you done a kinit again after you changed it ?
> > What does klist -f show you ?
> > 
> 
> Hello,
> 
> Thank you for not giving up Simo!
> 
> Here is the log:
> 
> [root at ipaserver ~]# klist -f
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 11/13/08 16:54:34  11/14/08 16:54:30  krbtgt/EXAMPLE.COM at EXAMPLE.COM
> 	Flags: FIA
> 11/13/08 16:54:55  11/14/08 16:54:30  HTTP/ipaserver.example.com at EXAMPLE.COM
> 	Flags: FAT
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at ipaserver ~]# ipa-finduser admin
> Connection to database failed: Invalid credentials: SASL(-13): 
> authentication failure: GSSAPI Failure: gss_accept_sec_context
> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" uid 
> admin
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> [root at ipaserver ~]# kdestroy
> [root at ipaserver ~]# kinit admin
> Password for admin at EXAMPLE.COM:
> [root at ipaserver ~]# klist -f
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at EXAMPLE.COM
> 
> Valid starting     Expires            Service principal
> 11/14/08 07:23:02  11/15/08 07:22:58  krbtgt/EXAMPLE.COM at EXAMPLE.COM
> 	Flags: FIA
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [root at ipaserver ~]# ipa-finduser admin
> Connection to database failed: Invalid credentials: SASL(-13): 
> authentication failure: GSSAPI Failure: gss_accept_sec_context
> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid admin
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> 
> Can it be a hardware related problem? The machine is rather old - HP 
> NetServer Pentium 3, 500 GHz, 512 MB.

Ok I think I know what it is if you are really using EXAMPLE.COM
Before freeipa 1.2.0 we were not changing krb5.conf if the relam name
used was EXAMPLE.COM (ie the default example).

Can you post your server and client krb5.conf files ?

Otherwise you can also try rebuilding your IPA server using a different
realm name than EXAMPLE.COM

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list