Ahh of course sudo I was trying su.
I'm on Centos 7.6 running freeipa 4.6.4 all from the standard yum packages.
It does look to be the exact same issue as you posted about Fedora 30.
This means that anyone running Centos 7.6 / RHEL 7.6 will be affected by this.
(See below)
As a work around if I manually imported the cert into nssdb
/etc/pki/pki-tomcat/alias would dogtag kick into life or is there more than
this required? I only ask out of interest as I'm going to rebuild this current
setup on RHEL 8 which is running IPA 4.7.1 which from what I can tell already
includes the fix for this.
Thanks for your help on this.
Dave
The output from running comes out as
[root@man-fb-ipa-02 ~]# sudo -u pkiuser /usr/libexec/ipa/ipa-pki-retrieve-key
"caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93"
man-fb-ipa-01.testhost.com
Traceback (most recent call last):
File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 39, in <module>
main()
File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 30, in main
keyfile=client_keyfile, keytab=client_keytab,
File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 64,
in __init__
self.kemcli = KEMClient(self._server_keys(server, realm),
File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 27,
in _server_keys
sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG)))
File "/usr/lib/python2.7/site-packages/ipaserver/secrets/kem.py", line 225,
in find_key
return conn.get_key(usage, kid)
File "/usr/lib/python2.7/site-packages/ipaserver/secrets/kem.py", line 71, in
get_key
conn = self.connect()
File "/usr/lib/python2.7/site-packages/ipaserver/secrets/common.py", line 40,
in connect
conn.sasl_interactive_bind_s('', auth_tokens)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in
sasl_interactive_bind_s
return
self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in
_ldap_call
result = func(*args,**kwargs)
LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (No Kerberos credentials
available (default cache: KEYRING:persistent:17))', 'desc': 'Local error'}
I also get the ca-show failure.
[root@man-fb-ipa-02 ~]# ipa ca-show vpn
ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API:
500.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
