[Freeipa-users] GSSAPI Failure

Konstantin Kozlov kozlov at spbcas.ru
Wed Nov 12 15:04:21 UTC 2008 

Hello,

Rob Crittenden wrote:
 > Konstantin Kozlov wrote:
 >> Hello,
 >>
 >> So ran out of ideas for where to look for errors. I've got the GSSAPI
 >> error with ipa tools and ldap tools.
 >>
 >> [root at ipaserver ~]# ipa-finduser admin
 >> Connection to database failed: Invalid credentials: SASL(-13):
 >> authentication failure: GSSAPI Failure: gss_accept_sec_context
 >>
 >> But the ipauser can login to ipaserver and ipaclient and get his home
 >> dir automounted.
 >>
 >> Is it a dead end?
 >
 > Ok, this error indicates that the kerberos auth to the XML-RPC server
 > worked but that it can't make a GSSAPI connection to the LDAP server.
 >
 > You can test this directly with:
 >
 > % ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
 >
 >>

This fails.

Dmitri Pal wrote:
> Konstantin,
> 
> Would it be a fair assumption to say that kinit and direct 
> authentication works fine but  GSSAPI based kerberos  auth does not?

Yes, that is correct.

> Is it happening on one machine or all machines?
> 

All two - ipaserver and ipaclient.

> I have seen in other product a similar situation  and the cause of the 
> problem was missing or outdated packages for  SASL methods.
> Can it be the case?
> 

No. All packages are the latest version on ipaserver Fedora 9.

Thanks,

Kostya


> Thanks
> Dmitri
> 
> Konstantin Kozlov wrote:
>> Hello,
>>
>> So ran out of ideas for where to look for errors. I've got the GSSAPI 
>> error with ipa tools and ldap tools.
>>
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13): 
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>
>> But the ipauser can login to ipaserver and ipaclient and get his home 
>> dir automounted.
>>
>> Is it a dead end?
>>
>> Are there any methods to add users/groups to ldap and kerberos 
>> consistently without ipa tools?
>>
>> Best regards,
>>
>> Kostya
>>
>> Kozlov wrote:
>>> Simo Sorce пишет:
>>>> On Tue, 2008-11-11 at 17:10 +0300, Konstantin Kozlov wrote:
>>>>> I suspect that the system was unhappy with rc4-hmac in 
>>>>> ipa-getkeytab command as it is not listed in supported enctypes. Is 
>>>>> it possible?
>>>>
>>>> Does not seem likely.
>>>> Do you have problems only on the Windows box? Or on any client 
>>>> including
>>>> the IPA server ?
>>>>
>>>> Simo.
>>>>
>>>
>>> WinXP never worked for me yet. I've got GSSAPI error on ipaserver - 
>>> Fedora9 and ipaclient CentOS 5. It makes webgui and ipa tools 
>>> unusable but surprisingly logging in with ipauser and automounting 
>>> the home dir still work on ipaserver. I've failed to configure 
>>> automounter on ipaclient.
>>>
>>> I've tried to change the 127.0.0.1 in krb5.conf to 
>>> ipaserver.example.com but it didn't help.
>>>
>>> Kostya
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
> 
> 


-- 
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.

Tel./fax: +7 812 596 2831

More information about the Freeipa-users mailing list