[Freeipa-users] Re: handling certificate expirations

Tue, 20 Feb 2024 17:01:30 -0800 

well, I thought I was out of the woods, but I still have some issues.
the services are running, but kinit gets me a ticket to nowhere.

"ipa: ERROR: No valid Negotiate header in server response"

grant@ef-idm01:~[20240220-14:36][#785]$ klist
Ticket cache: KCM:555
Default principal: gr...@production.efilm.com

Valid starting       Expires              Service principal
02/20/2024 14:36:12  02/21/2024 13:51:10  
krbtgt/production.efilm....@production.efilm.com
grant@ef-idm01:~[20240220-14:36][#786]$ ipa server-find
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240220-14:36][#787]$ sudo systemctl status gssproxy.service
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor 
preset: disabled)
   Active: active (running) since Tue 2024-02-20 13:57:40 PST; 39min ago
  Process: 2158008 ExecStart=/usr/sbin/gssproxy -D (code=exited, 
status=0/SUCCESS)
 Main PID: 2158009 (gssproxy)
    Tasks: 6 (limit: 74714)
   Memory: 4.2M
   CGroup: /system.slice/gssproxy.service
           └─2158009 /usr/sbin/gssproxy -D

Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: gssproxy.service: 
Succeeded.
Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: Stopped GSSAPI Proxy 
Daemon.
Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: Starting GSSAPI Proxy 
Daemon...
Feb 20 13:57:40 ef-idm01.production.efilm.com systemd[1]: Started GSSAPI Proxy 
Daemon.
grant@ef-idm01:~[20240220-14:37][#788]$ sudo ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
grant@ef-idm01:~[20240220-14:37][#789]$

I looked online for some references and it was suggested I replace the 
/var/lib/ipa/gssproxy/http.keytab
The file looks OKAY to me though.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to