On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users
wrote:
> On 19.09.17 12:07, Alexander Bokovoy wrote:
> > On ti, 19 syys 2017, Ronald Wimmer wrote:
> > > On 2017-09-19 11:53, Alexander Bokovoy wrote:
> > > > [...]
> > > > Please spend some time reading the documentation. It is vast and has a
> > > > lot of answers to questions people keep asking on these lists.
> > >
> > > I've already spent some time reading the documentation. Since
> > > "ipa-getkeytab" worked I was not aware of the fact that "ipa-getkeytab
> > > -r" would need:
> > >
> > > ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com
> > > --hosts={node01.idm.example.com,node02.idm.example.com}
> > That's why I gave you these links as you have obviously didn't read
> > them.
> >
> > Glad that it works now.
>
> As we ran into this problem again it should be mentioned that restarting
> gssproxy.service can be necessary.
>
> In our case Apache was looking for a KVNO 1 whereas the actual file did
> already have version number 4.
FWIW, gssapi should pick up new keys in keytabs without the need to
restart.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
