[Freeipa-users] GSSAPI Failure

Konstantin Kozlov kozlov at spbcas.ru
Fri Nov 14 06:04:17 UTC 2008 

Hello,

not I am not using EXAMPLE.COM

Is ipa 1.2 usable on fedora or centos?

server krb5.conf:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = BIO.SPBCAS.RU
  dns_lookup_realm = true
  dns_lookup_kdc = true
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  BIO.SPBCAS.RU = {
   kdc = hedgehog.bio.spbcas.ru:88
   admin_server = hedgehog.bio.spbcas.ru:749
   default_domain = bio.spbcas.ru
}

[domain_realm]
  .bio.spbcas.ru = BIO.SPBCAS.RU
  bio.spbcas.ru = BIO.SPBCAS.RU

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = yes
    krb4_convert = false
  }

[dbmodules]
   BIO.SPBCAS.RU = {
     db_library = kldap
     ldap_servers = ldap://127.0.0.1/
     ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru
     ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
     ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
     ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
   }

Client krb5.conf:

#File modified by ipa-client-install

[libdefaults]
   default_realm = BIO.SPBCAS.RU
   dns_lookup_realm = true
   dns_lookup_kdc = true
   ticket_lifetime = 24h
   forwardable = yes

[domain_realm]
   .bio.spbcas.ru = BIO.SPBCAS.RU
   bio.spbcas.ru = BIO.SPBCAS.RU

[appdefaults]
   pam = {
     debug = false
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
     krb4_convert = false
   }

NTP, DNS and DHCP are on another server, they were set up alot earlier 
and working.

Does the ldapsearch error indicate that FDS fails and not IPA?

Kostya

Simo Sorce пишет:
> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote:
>> Simo Sorce пишет:
>>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote:
>>>> Unfortunately it doesn't change my situation.
>>>>
>>>> So is it the dead end?
>>> Have you done a kinit again after you changed it ?
>>> What does klist -f show you ?
>>>
>> Hello,
>>
>> Thank you for not giving up Simo!
>>
>> Here is the log:
>>
>> [root at ipaserver ~]# klist -f
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 11/13/08 16:54:34  11/14/08 16:54:30  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> 	Flags: FIA
>> 11/13/08 16:54:55  11/14/08 16:54:30  HTTP/ipaserver.example.com at EXAMPLE.COM
>> 	Flags: FAT
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13): 
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" uid 
>> admin
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>> [root at ipaserver ~]# kdestroy
>> [root at ipaserver ~]# kinit admin
>> Password for admin at EXAMPLE.COM:
>> [root at ipaserver ~]# klist -f
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at EXAMPLE.COM
>>
>> Valid starting     Expires            Service principal
>> 11/14/08 07:23:02  11/15/08 07:22:58  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>> 	Flags: FIA
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt0
>> klist: You have no tickets cached
>> [root at ipaserver ~]# ipa-finduser admin
>> Connection to database failed: Invalid credentials: SASL(-13): 
>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid admin
>> SASL/GSSAPI authentication started
>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>
>> Can it be a hardware related problem? The machine is rather old - HP 
>> NetServer Pentium 3, 500 GHz, 512 MB.
> 
> Ok I think I know what it is if you are really using EXAMPLE.COM
> Before freeipa 1.2.0 we were not changing krb5.conf if the relam name
> used was EXAMPLE.COM (ie the default example).
> 
> Can you post your server and client krb5.conf files ?
> 
> Otherwise you can also try rebuilding your IPA server using a different
> realm name than EXAMPLE.COM
> 
> Simo.
> 

-- 
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.

Tel./fax: +7 812 596 2831

More information about the Freeipa-users mailing list