Ahh of course sudo I was trying su. I'm on Centos 7.6 running freeipa 4.6.4 all from the standard yum packages.
It does look to be the exact same issue as you posted about Fedora 30. This means that anyone running Centos 7.6 / RHEL 7.6 will be affected by this. (See below) As a work around if I manually imported the cert into nssdb /etc/pki/pki-tomcat/alias would dogtag kick into life or is there more than this required? I only ask out of interest as I'm going to rebuild this current setup on RHEL 8 which is running IPA 4.7.1 which from what I can tell already includes the fix for this. Thanks for your help on this. Dave The output from running comes out as [root@man-fb-ipa-02 ~]# sudo -u pkiuser /usr/libexec/ipa/ipa-pki-retrieve-key "caSigningCert cert-pki-ca dd4ea812-c044-41c0-93bf-ec376c732c93" man-fb-ipa-01.testhost.com Traceback (most recent call last): File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 39, in <module> main() File "/usr/libexec/ipa/ipa-pki-retrieve-key", line 30, in main keyfile=client_keyfile, keytab=client_keytab, File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 64, in __init__ self.kemcli = KEMClient(self._server_keys(server, realm), File "/usr/lib/python2.7/site-packages/ipaserver/secrets/client.py", line 27, in _server_keys sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG))) File "/usr/lib/python2.7/site-packages/ipaserver/secrets/kem.py", line 225, in find_key return conn.get_key(usage, kid) File "/usr/lib/python2.7/site-packages/ipaserver/secrets/kem.py", line 71, in get_key conn = self.connect() File "/usr/lib/python2.7/site-packages/ipaserver/secrets/common.py", line 40, in connect conn.sasl_interactive_bind_s('', auth_tokens) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 229, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags) File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call result = func(*args,**kwargs) LOCAL_ERROR: {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:17))', 'desc': 'Local error'} I also get the ca-show failure. [root@man-fb-ipa-02 ~]# ipa ca-show vpn ipa: ERROR: Request failed with status 500: Non-2xx response from CA REST API: 500. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org