[Freeipa-users] GSSAPI Failure

Konstantin Kozlov kozlov at spbcas.ru
Fri Nov 14 07:40:45 UTC 2008 

Hello,

Dmitri, thanks for reply.

I don't have EXAMPLE.COM, I changed the domain to this value in the 
posts to be consistent with different examples. The domain is 
BIO.SPBCAS.RU everywhere it should be.

Kostya

Dmitri Pal пишет:
> It seems you have a mismatch between how the kerberos server thinks 
> about itself and what the client thinks about it.
> The fact that you have ticket against EXAMPLE.COM makes me think that 
> the server thinks about itself as example.com.
> 
> But I am not a specialist. Just trying to understand this myself, so 
> sorry if this observation won't be correct or  helpful.
> Thanks
> Dmitri
> 
> Konstantin Kozlov wrote:
>> Hello,
>>
>> not I am not using EXAMPLE.COM
>>
>> Is ipa 1.2 usable on fedora or centos?
>>
>> server krb5.conf:
>>
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>  default_realm = BIO.SPBCAS.RU
>>  dns_lookup_realm = true
>>  dns_lookup_kdc = true
>>  ticket_lifetime = 24h
>>  forwardable = yes
>>
>> [realms]
>>  BIO.SPBCAS.RU = {
>>   kdc = hedgehog.bio.spbcas.ru:88
>>   admin_server = hedgehog.bio.spbcas.ru:749
>>   default_domain = bio.spbcas.ru
>> }
>>
>> [domain_realm]
>>  .bio.spbcas.ru = BIO.SPBCAS.RU
>>  bio.spbcas.ru = BIO.SPBCAS.RU
>>
>> [appdefaults]
>>  pam = {
>>    debug = false
>>    ticket_lifetime = 36000
>>    renew_lifetime = 36000
>>    forwardable = yes
>>    krb4_convert = false
>>  }
>>
>> [dbmodules]
>>   BIO.SPBCAS.RU = {
>>     db_library = kldap
>>     ldap_servers = ldap://127.0.0.1/
>>     ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru
>>     ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
>>     ldap_kadmind_dn = 
>> uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
>>     ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>>   }
>>
>> Client krb5.conf:
>>
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>>   default_realm = BIO.SPBCAS.RU
>>   dns_lookup_realm = true
>>   dns_lookup_kdc = true
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [domain_realm]
>>   .bio.spbcas.ru = BIO.SPBCAS.RU
>>   bio.spbcas.ru = BIO.SPBCAS.RU
>>
>> [appdefaults]
>>   pam = {
>>     debug = false
>>     ticket_lifetime = 36000
>>     renew_lifetime = 36000
>>     forwardable = true
>>     krb4_convert = false
>>   }
>>
>> NTP, DNS and DHCP are on another server, they were set up alot earlier 
>> and working.
>>
>> Does the ldapsearch error indicate that FDS fails and not IPA?
>>
>> Kostya
>>
>> Simo Sorce пишет:
>>> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote:
>>>> Simo Sorce пишет:
>>>>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote:
>>>>>> Unfortunately it doesn't change my situation.
>>>>>>
>>>>>> So is it the dead end?
>>>>> Have you done a kinit again after you changed it ?
>>>>> What does klist -f show you ?
>>>>>
>>>> Hello,
>>>>
>>>> Thank you for not giving up Simo!
>>>>
>>>> Here is the log:
>>>>
>>>> [root at ipaserver ~]# klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: admin at EXAMPLE.COM
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 11/13/08 16:54:34  11/14/08 16:54:30  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>     Flags: FIA
>>>> 11/13/08 16:54:55  11/14/08 16:54:30  
>>>> HTTP/ipaserver.example.com at EXAMPLE.COM
>>>>     Flags: FAT
>>>>
>>>>
>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>> klist: You have no tickets cached
>>>> [root at ipaserver ~]# ipa-finduser admin
>>>> Connection to database failed: Invalid credentials: SASL(-13): 
>>>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru" 
>>>> uid admin
>>>> SASL/GSSAPI authentication started
>>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>>> [root at ipaserver ~]# kdestroy
>>>> [root at ipaserver ~]# kinit admin
>>>> Password for admin at EXAMPLE.COM:
>>>> [root at ipaserver ~]# klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: admin at EXAMPLE.COM
>>>>
>>>> Valid starting     Expires            Service principal
>>>> 11/14/08 07:23:02  11/15/08 07:22:58  krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>>     Flags: FIA
>>>>
>>>>
>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>> klist: You have no tickets cached
>>>> [root at ipaserver ~]# ipa-finduser admin
>>>> Connection to database failed: Invalid credentials: SASL(-13): 
>>>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid 
>>>> admin
>>>> SASL/GSSAPI authentication started
>>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>>>
>>>> Can it be a hardware related problem? The machine is rather old - HP 
>>>> NetServer Pentium 3, 500 GHz, 512 MB.
>>>
>>> Ok I think I know what it is if you are really using EXAMPLE.COM
>>> Before freeipa 1.2.0 we were not changing krb5.conf if the relam name
>>> used was EXAMPLE.COM (ie the default example).
>>>
>>> Can you post your server and client krb5.conf files ?
>>>
>>> Otherwise you can also try rebuilding your IPA server using a different
>>> realm name than EXAMPLE.COM
>>>
>>> Simo.
>>>
>>
> 
> 


-- 
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.

Tel./fax: +7 812 596 2831

More information about the Freeipa-users mailing list