[Freeipa-users] GSSAPI Failure

Dmitri Pal dpal at redhat.com
Fri Nov 14 07:18:18 UTC 2008 

It seems you have a mismatch between how the kerberos server thinks 
about itself and what the client thinks about it.
The fact that you have ticket against EXAMPLE.COM makes me think that 
the server thinks about itself as example.com.

But I am not a specialist. Just trying to understand this myself, so 
sorry if this observation won't be correct or  helpful. 

Thanks
Dmitri

Konstantin Kozlov wrote:
> Hello,
>
> not I am not using EXAMPLE.COM
>
> Is ipa 1.2 usable on fedora or centos?
>
> server krb5.conf:
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = BIO.SPBCAS.RU
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>  ticket_lifetime = 24h
>  forwardable = yes
>
> [realms]
>  BIO.SPBCAS.RU = {
>   kdc = hedgehog.bio.spbcas.ru:88
>   admin_server = hedgehog.bio.spbcas.ru:749
>   default_domain = bio.spbcas.ru
> }
>
> [domain_realm]
>  .bio.spbcas.ru = BIO.SPBCAS.RU
>  bio.spbcas.ru = BIO.SPBCAS.RU
>
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = yes
>    krb4_convert = false
>  }
>
> [dbmodules]
>   BIO.SPBCAS.RU = {
>     db_library = kldap
>     ldap_servers = ldap://127.0.0.1/
>     ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru
>     ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
>     ldap_kadmind_dn = 
> uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
>     ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>   }
>
> Client krb5.conf:
>
> #File modified by ipa-client-install
>
> [libdefaults]
>   default_realm = BIO.SPBCAS.RU
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   ticket_lifetime = 24h
>   forwardable = yes
>
> [domain_realm]
>   .bio.spbcas.ru = BIO.SPBCAS.RU
>   bio.spbcas.ru = BIO.SPBCAS.RU
>
> [appdefaults]
>   pam = {
>     debug = false
>     ticket_lifetime = 36000
>     renew_lifetime = 36000
>     forwardable = true
>     krb4_convert = false
>   }
>
> NTP, DNS and DHCP are on another server, they were set up alot earlier 
> and working.
>
> Does the ldapsearch error indicate that FDS fails and not IPA?
>
> Kostya
>
> Simo Sorce пишет:
>> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote:
>>> Simo Sorce пишет:
>>>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote:
>>>>> Unfortunately it doesn't change my situation.
>>>>>
>>>>> So is it the dead end?
>>>> Have you done a kinit again after you changed it ?
>>>> What does klist -f show you ?
>>>>
>>> Hello,
>>>
>>> Thank you for not giving up Simo!
>>>
>>> Here is the log:
>>>
>>> [root at ipaserver ~]# klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: admin at EXAMPLE.COM
>>>
>>> Valid starting     Expires            Service principal
>>> 11/13/08 16:54:34  11/14/08 16:54:30  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>     Flags: FIA
>>> 11/13/08 16:54:55  11/14/08 16:54:30  
>>> HTTP/ipaserver.example.com at EXAMPLE.COM
>>>     Flags: FAT
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt0
>>> klist: You have no tickets cached
>>> [root at ipaserver ~]# ipa-finduser admin
>>> Connection to database failed: Invalid credentials: SASL(-13): 
>>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" 
>>> uid admin
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>> [root at ipaserver ~]# kdestroy
>>> [root at ipaserver ~]# kinit admin
>>> Password for admin at EXAMPLE.COM:
>>> [root at ipaserver ~]# klist -f
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: admin at EXAMPLE.COM
>>>
>>> Valid starting     Expires            Service principal
>>> 11/14/08 07:23:02  11/15/08 07:22:58  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>     Flags: FIA
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt0
>>> klist: You have no tickets cached
>>> [root at ipaserver ~]# ipa-finduser admin
>>> Connection to database failed: Invalid credentials: SASL(-13): 
>>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid 
>>> admin
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>>
>>> Can it be a hardware related problem? The machine is rather old - HP 
>>> NetServer Pentium 3, 500 GHz, 512 MB.
>>
>> Ok I think I know what it is if you are really using EXAMPLE.COM
>> Before freeipa 1.2.0 we were not changing krb5.conf if the relam name
>> used was EXAMPLE.COM (ie the default example).
>>
>> Can you post your server and client krb5.conf files ?
>>
>> Otherwise you can also try rebuilding your IPA server using a different
>> realm name than EXAMPLE.COM
>>
>> Simo.
>>
>

More information about the Freeipa-users mailing list