For a few weeks now I've been seeing a
problem getting authenticated to my ipa domain. I can get
command line and web UI stuff done by using the admin user but
if I get a ticket using my account which is in the admins
group I get the following on the web UI:
Your session has expired. Please log in again.
On the command line any ipa commands I've tried so far give me:
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Getting a ticket as admin on command line lets me run ipa commands with no problem. I think I've got all pertinent certificates loaded up properly. Gonna try a reboot on one of the servers shortly. I have 4 servers on r different vlans, replication between seems to be working properly.
I think the problem is most of the user ID's we use on this domain are not in the ID range configured. We let the install choose a default range when we first set this up. Most of our users have a UID based on their EDIPI # which is a 32-bit ID assigned when a user first gets a DoD CAC. They're usually 10 digits long.-- //- Fixer of that which is broke -// //- Home = sberg@mississippi.com -// //- Sinners can repent, but stupid is forever. -//