Sorry for the high latency, there has been quite a bit of prio 1 things that needed fixing that's been delaying this
On Wed, Feb 5, 2020 at 7:13 PM Rob Crittenden <rcrit...@redhat.com> wrote: > > Please keep responses on the list. > > Ian Kumlien wrote: > > ipa find-user admin > > ipa: ERROR: No valid Negotiate header in server response > > > > And a lot of krb issues according to the http logs > > I think we need to see the logs to diagnose. httpd/error_log: [Tue Mar 17 10:25:19.273326 2020] [auth_gssapi:error] [pid 24047:tid 140398705956608] [client 10.0.0.15:52430] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)] [Tue Mar 17 10:25:19.277017 2020] [wsgi:error] [pid 24045:tid 140398987495168] [remote 100.94.37.38:34088] ipa: INFO: 401 Unauthorized: No session cookie found > > I wasn't expecting this - since all keys should be the same as the one > > installed - which is why i asked about any changes to the ldap data > > It could happen, for example, if you had gotten a new keytab for one or > more service and restored old data. Unlikely, but possible. Thats exactly whats happened, could I just do a ldap-updater script to update the keys? > Comparing the klist output with kvno for all the keytabs and principals > will tell you. > > rob > > > If there is something more specific you want me to look at, just let me know > > > > On Wed, Feb 5, 2020 at 4:54 PM Rob Crittenden <rcrit...@redhat.com> wrote: > >> > >> Ian Kumlien via FreeIPA-users wrote: > >>> Hi, > >>> > >>> Due to issues, I'm trying to do a partial restore of all the "important > >>> bits" > >>> > >>> But if I do ipa-restore --online --data --backend=userRoot $BACKUP > >>> > >>> I end up in a semiworking environment - the webui doen't work - kinit > >>> does... > >>> > >>> ipa doesn't etc.. > >>> > >> > >> It doesn't work how? What have you done to troubleshoot? What do the > >> logs say? > >> > >> rob > >> > > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
