> liang fei via FreeIPA-users wrote: > > Need a lot more information. > > What version of IPA on client and server, and what distribution? > > What is the context? Is this a new problem? Did it ever work? It appears > you're running this on a server, please confirm. > > We need the apache error log (snippet) and relation lines from the KDC log. > > Per your subsequent message, this probably has nothing to do with > certificates but the output is illuminating. > > a-error: Error setting up ccache for "host" service on client using > default keytab: No such file or directory. > > You are apparently missing /etc/krb5.keytab > > Goes back to the history question. What has been going on with this > installation? > > rob
freeipa4.3 All operations are performed on the CA machine, Yes, for some reason, /etc/krb5.keytab does not exist and /etc/apache2.ipa.keytab kinit was unsuccessful, so I did the following. ipa-getkeytab -p host/host.xx.com -k /etc/krb5.keytab ipa-getkeytab -p HTTP/host.xx.com -e aes256-cts -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e aes128-cts -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e des3-hmac-sha1 -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e arcfour-hmac -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e camellia128-cts -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e camellia256-cts -k /tmp/spnego.service.keytab cp /tmp/spnego.service.keytab /etc/security/ketabs cp /tmp/spnego.service.keytab /etc/apache2/ipa.keytab This exception should be an error related to the /etc/apache2/ipa.keytab file, because I have a native /etc/krb5.keytab file on another test machine.Only perform the ipa - getkeytab - p - e aes256 HTTP/host.xx.com - CTS - k/TMP/spnego. Service. Keytabr operation, so this exception, ipa user-find admin ... ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>) tailf /var/logs/apach2/error [Tue Aug 30 11:32:32.237368 2022] [auth_gssapi:error] [pid 57977:tid 140374488082176] [client 10.12.65.188:64398] gss_accept_sec_context() failed: [No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)], referer: https://ipa-test-xx.com/ipa/xml _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue