On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users wrote: > On 19.09.17 12:07, Alexander Bokovoy wrote: > > On ti, 19 syys 2017, Ronald Wimmer wrote: > > > On 2017-09-19 11:53, Alexander Bokovoy wrote: > > > > [...] > > > > Please spend some time reading the documentation. It is vast and has a > > > > lot of answers to questions people keep asking on these lists. > > > > > > I've already spent some time reading the documentation. Since > > > "ipa-getkeytab" worked I was not aware of the fact that "ipa-getkeytab > > > -r" would need: > > > > > > ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com > > > --hosts={node01.idm.example.com,node02.idm.example.com} > > That's why I gave you these links as you have obviously didn't read > > them. > > > > Glad that it works now. > > As we ran into this problem again it should be mentioned that restarting > gssproxy.service can be necessary. > > In our case Apache was looking for a KVNO 1 whereas the actual file did > already have version number 4.
FWIW, gssapi should pick up new keys in keytabs without the need to restart. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue