[Freeipa-users] GSSAPI Failure
Konstantin Kozlov
kozlov at spbcas.ru
Fri Nov 14 07:40:45 UTC 2008
Hello,
Dmitri, thanks for reply.
I don't have EXAMPLE.COM, I changed the domain to this value in the
posts to be consistent with different examples. The domain is
BIO.SPBCAS.RU everywhere it should be.
Kostya
Dmitri Pal пишет:
> It seems you have a mismatch between how the kerberos server thinks
> about itself and what the client thinks about it.
> The fact that you have ticket against EXAMPLE.COM makes me think that
> the server thinks about itself as example.com.
>
> But I am not a specialist. Just trying to understand this myself, so
> sorry if this observation won't be correct or helpful.
> Thanks
> Dmitri
>
> Konstantin Kozlov wrote:
>> Hello,
>>
>> not I am not using EXAMPLE.COM
>>
>> Is ipa 1.2 usable on fedora or centos?
>>
>> server krb5.conf:
>>
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = BIO.SPBCAS.RU
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [realms]
>> BIO.SPBCAS.RU = {
>> kdc = hedgehog.bio.spbcas.ru:88
>> admin_server = hedgehog.bio.spbcas.ru:749
>> default_domain = bio.spbcas.ru
>> }
>>
>> [domain_realm]
>> .bio.spbcas.ru = BIO.SPBCAS.RU
>> bio.spbcas.ru = BIO.SPBCAS.RU
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = yes
>> krb4_convert = false
>> }
>>
>> [dbmodules]
>> BIO.SPBCAS.RU = {
>> db_library = kldap
>> ldap_servers = ldap://127.0.0.1/
>> ldap_kerberos_container_dn = cn=kerberos,dc=bio,dc=spbcas,dc=ru
>> ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
>> ldap_kadmind_dn =
>> uid=kdc,cn=sysaccounts,cn=etc,dc=bio,dc=spbcas,dc=ru
>> ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
>> }
>>
>> Client krb5.conf:
>>
>> #File modified by ipa-client-install
>>
>> [libdefaults]
>> default_realm = BIO.SPBCAS.RU
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>> ticket_lifetime = 24h
>> forwardable = yes
>>
>> [domain_realm]
>> .bio.spbcas.ru = BIO.SPBCAS.RU
>> bio.spbcas.ru = BIO.SPBCAS.RU
>>
>> [appdefaults]
>> pam = {
>> debug = false
>> ticket_lifetime = 36000
>> renew_lifetime = 36000
>> forwardable = true
>> krb4_convert = false
>> }
>>
>> NTP, DNS and DHCP are on another server, they were set up alot earlier
>> and working.
>>
>> Does the ldapsearch error indicate that FDS fails and not IPA?
>>
>> Kostya
>>
>> Simo Sorce пишет:
>>> On Fri, 2008-11-14 at 07:29 +0300, Kozlov wrote:
>>>> Simo Sorce пишет:
>>>>> On Thu, 2008-11-13 at 17:03 +0300, Konstantin Kozlov wrote:
>>>>>> Unfortunately it doesn't change my situation.
>>>>>>
>>>>>> So is it the dead end?
>>>>> Have you done a kinit again after you changed it ?
>>>>> What does klist -f show you ?
>>>>>
>>>> Hello,
>>>>
>>>> Thank you for not giving up Simo!
>>>>
>>>> Here is the log:
>>>>
>>>> [root at ipaserver ~]# klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: admin at EXAMPLE.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 11/13/08 16:54:34 11/14/08 16:54:30 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>> Flags: FIA
>>>> 11/13/08 16:54:55 11/14/08 16:54:30
>>>> HTTP/ipaserver.example.com at EXAMPLE.COM
>>>> Flags: FAT
>>>>
>>>>
>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>> klist: You have no tickets cached
>>>> [root at ipaserver ~]# ipa-finduser admin
>>>> Connection to database failed: Invalid credentials: SASL(-13):
>>>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=bio,dc=spbcas,dc=ru"
>>>> uid admin
>>>> SASL/GSSAPI authentication started
>>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>>> [root at ipaserver ~]# kdestroy
>>>> [root at ipaserver ~]# kinit admin
>>>> Password for admin at EXAMPLE.COM:
>>>> [root at ipaserver ~]# klist -f
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: admin at EXAMPLE.COM
>>>>
>>>> Valid starting Expires Service principal
>>>> 11/14/08 07:23:02 11/15/08 07:22:58 krbtgt/EXAMPLE.COM at EXAMPLE.COM
>>>> Flags: FIA
>>>>
>>>>
>>>> Kerberos 4 ticket cache: /tmp/tkt0
>>>> klist: You have no tickets cached
>>>> [root at ipaserver ~]# ipa-finduser admin
>>>> Connection to database failed: Invalid credentials: SASL(-13):
>>>> authentication failure: GSSAPI Failure: gss_accept_sec_context
>>>> [root at ipaserver ~]# ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid
>>>> admin
>>>> SASL/GSSAPI authentication started
>>>> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>>>>
>>>> Can it be a hardware related problem? The machine is rather old - HP
>>>> NetServer Pentium 3, 500 GHz, 512 MB.
>>>
>>> Ok I think I know what it is if you are really using EXAMPLE.COM
>>> Before freeipa 1.2.0 we were not changing krb5.conf if the relam name
>>> used was EXAMPLE.COM (ie the default example).
>>>
>>> Can you post your server and client krb5.conf files ?
>>>
>>> Otherwise you can also try rebuilding your IPA server using a different
>>> realm name than EXAMPLE.COM
>>>
>>> Simo.
>>>
>>
>
>
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
More information about the Freeipa-users
mailing list