One of the FreeIPA replicas are not able to use the GSSAPI authentication to connect to ldap server on itself or any other FreeIPA server. I'm not sure why. I added example.com to just replace the actual domains, we're not using that. I really don't fully understand how the krbprincipalname is used but as a thought I think maybe we have 2 ldap/ krbbprincipal names for this host/service and it's using the wrong one for the mapping.
ipa-server-4.5.0
eu-ipa-02.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 ipa-001.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsdfw-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsiad-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00
[root@eu-ipa-01 ~]# klist -ke /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM (des3-cbc-sha1) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM (arcfour-hmac) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM (camellia128-cts-cmac) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM (camellia256-cts-cmac)
ldapsearch -h eu-ipa-01.example.com -D "cn=directory manager" -W -b "dc=example,dc=com" '(krbprincipalname=ldap/eu-ipa-01*)'
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (krbprincipalname=ldap/eu-ipa-01*) # requesting: ALL #
# ldap/eu-ipa-01.example.com@EXAMPLE.COM, services, accounts, example.com dn: krbprincipalname=ldap/eu-ipa-01.example.com@EXAMPLE.COM ,cn=services,cn=accou nts,dc=example,dc=com krbLastSuccessfulAuth: 20180411141738Z ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=example,dc=ne t memberOf: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example.com@EXAMPLE.COM userCertificate:: krbExtraData:: krbPrincipalKey:: krbLoginFailedCount: 0 krbLastPwdChange: 20170718043248Z krbCanonicalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal objectClass: ipaallowedoperations managedBy: fqdn=eu-ipa-01.example.com ,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM ipaUniqueID: 26d525e0-6b72-11e7-803b-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com
# ldap/eu-ipa-01.example.com@EXAMPLE.COM + d07bbe98-65a111e7-8454f4db-22f31cc6, s ervices, accounts, example.com dn: krbprincipalname=ldap/eu-ipa-01.example.com@EXAMPLE.COM +nsuniqueid=d07bbe98- 65a111e7-8454f4db-22f31cc6,cn=services,cn=accounts,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example.com@EXAMPLE.COM userCertificate:: krbExtraData:: krbPrincipalKey:: krbLastPwdChange: 20170710185854Z krbCanonicalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal managedBy: fqdn=eu-ipa-01.example.com ,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM ipaUniqueID: d1f75da2-65a1-11e7-b431-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
Is this 2nd result the one it's trying to use and it has the wrong password associated with it?
[11/Apr/2018:12:06:08.426926060 +0100] conn=137434 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.431094978 +0100] conn=137434 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.431544044 +0100] conn=137434 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.432833552 +0100] conn=137434 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.432981174 +0100] conn=137434 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.433457303 +0100] conn=137434 op=3 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-14): authorization failure: [11/Apr/2018:12:06:08.433918022 +0100] conn=137434 op=4 UNBIND [11/Apr/2018:12:06:08.433934070 +0100] conn=137434 op=4 fd=229 closed - U1
Any help would be most appreciated. Thank you.
On 04/11/2018 04:47 PM, Dave Jablonski via FreeIPA-users wrote:
One of the FreeIPA replicas are not able to use the GSSAPI authentication to connect to ldap server on itself or any other FreeIPA server. I'm not sure why. I added example.com http://example.com to just replace the actual domains, we're not using that. I really don't fully understand how the krbprincipalname is used but as a thought I think maybe we have 2 ldap/ krbbprincipal names for this host/service and it's using the wrong one for the mapping.
ipa-server-4.5.0
eu-ipa-02.example.com http://eu-ipa-02.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 ipa-001.example.com http://ipa-001.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsdfw-ipa-01.example.com http://rsdfw-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00 rsiad-ipa-01.example.com http://rsiad-ipa-01.example.com: replica last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (49) Problem connecting to replica - LDAP error: Invalid credentials (connection error) last update ended: 1970-01-01 00:00:00+00:00
[root@eu-ipa-01 ~]# klist -ke /etc/dirsrv/ds.keytab Keytab name: FILE:/etc/dirsrv/ds.keytab KVNO Principal
2 ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM (des3-cbc-sha1) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM (arcfour-hmac) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM (camellia128-cts-cmac) 2 ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM (camellia256-cts-cmac)
ldapsearch -h eu-ipa-01.example.com http://eu-ipa-01.example.com -D "cn=directory manager" -W -b "dc=example,dc=com" '(krbprincipalname=ldap/eu-ipa-01*)'
Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (krbprincipalname=ldap/eu-ipa-01*) # requesting: ALL #
# ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM, services, accounts, example.com http://example.com dn: krbprincipalname=ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM,cn=services,cn=accou nts,dc=example,dc=com krbLastSuccessfulAuth: 20180411141738Z ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=example,dc=ne t memberOf: cn=replication managers,cn=sysaccounts,cn=etc,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM userCertificate:: krbExtraData:: krbPrincipalKey:: krbLoginFailedCount: 0 krbLastPwdChange: 20170718043248Z krbCanonicalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal objectClass: ipaallowedoperations managedBy: fqdn=eu-ipa-01.example.com http://eu-ipa-01.example.com,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM ipaUniqueID: 26d525e0-6b72-11e7-803b-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com
# ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM + d07bbe98-65a111e7-8454f4db-22f31cc6, s ervices, accounts, example.com http://example.com dn: krbprincipalname=ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM+nsuniqueid=d07bbe98- 65a111e7-8454f4db-22f31cc6,cn=services,cn=accounts,dc=example,dc=com ipaKrbPrincipalAlias: ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM userCertificate:: krbExtraData:: krbPrincipalKey:: krbLastPwdChange: 20170710185854Z krbCanonicalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM objectClass: ipaobject objectClass: top objectClass: ipaservice objectClass: pkiuser objectClass: krbprincipal objectClass: krbprincipalaux objectClass: krbTicketPolicyAux objectClass: ipakrbprincipal managedBy: fqdn=eu-ipa-01.example.com http://eu-ipa-01.example.com,cn=computers,cn=accounts,dc=example,dc=com krbPrincipalName: ldap/eu-ipa-01.example.com@EXAMPLE.COM mailto:eu-ipa-01.example.com@EXAMPLE.COM ipaUniqueID: d1f75da2-65a1-11e7-b431-0643f376e57a krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accou nts,dc=example,dc=com
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2
Is this 2nd result the one it's trying to use and it has the wrong password associated with it?
[11/Apr/2018:12:06:08.426926060 +0100] conn=137434 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.431094978 +0100] conn=137434 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.431544044 +0100] conn=137434 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.432833552 +0100] conn=137434 op=2 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress [11/Apr/2018:12:06:08.432981174 +0100] conn=137434 op=3 BIND dn="" method=sasl version=3 mech=GSSAPI [11/Apr/2018:12:06:08.433457303 +0100] conn=137434 op=3 RESULT err=49 tag=97 nentries=0 etime=0 - SASL(-14): authorization failure: [11/Apr/2018:12:06:08.433918022 +0100] conn=137434 op=4 UNBIND [11/Apr/2018:12:06:08.433934070 +0100] conn=137434 op=4 fd=229 closed - U1
Any help would be most appreciated. Thank you.
IMPORTANT: This e-mail (including any attachments) is intended for the use of the individual or entity to which it is addressed and may contain information that is classified, private, or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is prohibited. If you have received this communication in error, please notify us immediately by replying to this e-mail. Thank you.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the entry which contains +nsuniqueid=.. in its DN is a replication conflict. This means that the same entry was modified on two servers at roughly the same time. It is probably the reason why the GSSAPI authentication is failing.
You can find more information on how to solve replication conflicts in 389-ds guide [1].
HTH, Flo
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/ht...
On Wed, 2018-04-11 at 10:47 -0400, Dave Jablonski via FreeIPA-users wrote:
One of the FreeIPA replicas are not able to use the GSSAPI authentication to connect to ldap server on itself or any other FreeIPA server. I'm not sure why. I added example.com to just replace the actual domains, we're not using that. I really don't fully understand how the krbprincipalname is used but as a thought I think maybe we have 2 ldap/ krbbprincipal names for this host/service and it's using the wrong one for the mapping.
Have you tried to install two servers with the same name at the same time by chance ? I do not see how else you'd get a duplicate entry in ldap woth the keytab. Either that or you reinstalled a server while the topology had replication issues that got resolved after the second reinstall.
Simo.
freeipa-users@lists.fedorahosted.org