freeipa

Clone
Source Code
GIT

#2530 ipa commands after upgrade return Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE
Closed: Fixed None Opened 12 years ago by rcritten.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=803054 (Red Hat Enterprise Linux 6)

Description of problem:

IPA upgrades on RHEL6.2 from 2.1.3 to 2.2.0 seems to have an issue after
upgrade.

# yum -y update 'ipa*'
...
# ipactl restart
...
# ipa user-find
ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE

I'm hoping this is straightforward and maybe even something I missed but, I
also tried updating everything as well as trying this:

# ipa-ldap-updater --ldapi /usr/share/ipa/updates/30-s4u2proxy.update
ipa         : INFO     Parsing file /usr/share/ipa/updates/30-s4u2proxy.update
ipa         : INFO     New entry: cn=s4u2proxy,cn=etc,dc=testrelm,dc=com
ipa         : INFO     New entry:
cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,dc=testrelm,dc=com
ipa         : ERROR    Add failure 'NoneType' object is not callable
ipa         : INFO     New entry:
cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,dc=testrelm,dc=com
ipa         : ERROR    Add failure 'NoneType' object is not callable
ipa         : INFO     Update complete


Version-Release number of selected component (if applicable):

RHEL 6.2 pointing to RHEL 6.3 test repo and repo containing IPA 2.2.0-3 rpms.

How reproducible:

So far, always.

Steps to Reproduce:

1.  <Install IPA on RHEL6.2 server>
2.  kinit admin
3.  <add some content (users, groups, etc)>
4.  <add yum repo with RHEL 6.3 and 2.2.0-3 rpms>
5.  yum -y update 'ipa*'
6.  ipactl restart
7.  ipa user-find

Actual results:

command returns the following:

ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE

Expected results:

ipa command to run and return normal output.

Additional info:

/var/log/messages entry:

Mar 13 16:49:53 ibm-ls22-05 httpd: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (KDC returned error string:
NOT_ALLOWED_TO_DELEGATE)


/var/log/krb5kdc.log entries:

Mar 13 16:49:53 HOSTNAME krb5kdc[17278](info): TGS_REQ (4 etypes {18 17 16 23})
10.34.54.41: NOT_ALLOWED_TO_DELEGATE: authtime 0,
HTTP/hostname.testrelm.com@TESTRELM.COM for
ldap/hostname.testrelm.com@TESTRELM.COM, Server error

Mar 13 16:49:53 hostname.testrelm.com krb5kdc[17279](info): TGS_REQ (4 etypes
{18 17 16 23}) 10.34.54.41: NOT_ALLOWED_TO_DELEGATE: authtime 0,
HTTP/hostname.testrelm.com@TESTRELM.COM for
ldap/hostname.testrelm.com@TESTRELM.COM, Server error

This is an SELinux policy problem related to 389-ds. During the upgrade the ldapi socket's context is being changed so 389-ds can't be restarted.

Moving to next month iteration.

BZ closed as WORKSFORME:

I am going to go ahead and close this one as WORKSFORME since I cannot
reproduce the "symptom" since the following updates:

ipa-server 2.2.0-5
389-ds-base 1.2.10.2-4
selinux-policy-targetd 3.7.19-142

The selinux labelling issue is addressed in bug 799102 and my test results have
been posted there.

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=803054
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.