carrollbry...@gmail.com wrote: >> Got what new ticket? IPA provides its own tooling for managing keytabs, >> ipa-getkeytab. > > I kept saying ticket. I meant keytab. I used ktutil to get new keytab entries. > >> On another system you might try kvno to see what IPA thinks the principal >> version should be with just kvno ldap/<hostname> > > On a client server, it says: > > root@cumulus etc $ kvno ldap/pacific.caps.int > ldap/pacific.caps....@caps.int: kvno = 2 > > which matches kvno = 2 on Pacific, the IPA server. > > root@pacific ~ $ kvno ldap/pacific.caps.int > ldap/pacific.caps....@caps.int: kvno = 2 > >> Is this your only IPA server? > > Yes, only IPA server is Pacific.
I'm not sure what happened originally nor if using ktutil broke things further. We typically don't recommend directly using Kerberos utilities in favor of using IPA-provided commands. The Kerberos utilities are not well-tested for interoperability with IPA. Not saying that's related but we don't test it. You might try using ipa-getkeytab to get a new ds.keytab key version but with the ldap keytab being bad I'm doubtful that this will succeed. It's a chicken-and-egg scenario. rob > > Thanks, > Bryan > > > -----Original Message----- > From: Rob Crittenden <rcrit...@redhat.com> > Sent: Friday, July 19, 2024 7:32 AM > To: carrollbry...@gmail.com; 'FreeIPA users list' > <freeipa-users@lists.fedorahosted.org> > Subject: Re: [Freeipa-users] GSSAPI authentication failure > > carrollbry...@gmail.com wrote: >> (Resending this email, files were too large) >> >> Sorry for the delayed reply. I was on vacation for a few days. >> >>> Please show us the KDC log when you are provoking a failure. >> >> I'm attaching the slapd access, slapd error, krb5kdb.log and kadmind.log. >> The only thing of note I see in those logs is in the slapd access log: >> >> [11/Jul/2024:17:32:01.528294151 -0500] conn=57224 op=1 RESULT err=49 >> tag=97 nentries=0 wtime=0.000076683 optime=0.265358256 >> etime=0.265415438 - SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context >> >> which shows up often. >> >>> I'm not sure what ticket you're referring to, unless you mean a TGT. >> >> I think GSSAPI errors may be related to this ticket issue showing "keytab >> entry invalid": >> >> root@pacific ~ $ klist -kte /etc/dirsrv/ds.keytab Keytab name: >> FILE:/etc/dirsrv/ds.keytab >> KVNO Timestamp Principal >> ---- ------------------- >> ------------------------------------------------------ >> 2 07/11/2024 18:54:19 ldap/pacific.caps....@caps.int >> (aes256-cts-hmac-sha1-96) >> 2 07/11/2024 19:44:09 ldap/pacific.caps....@caps.int >> (aes128-cts-hmac-sha1-96) root@pacific ~ $ kvno -k >> /etc/dirsrv/ds.keytab ldap/pacific.caps.int >> ldap/pacific.caps....@caps.int: kvno = 2, keytab entry invalid >> kvno: Wrong principal in request while decrypting ticket for >> ldap/pacific.caps....@caps.int >> >> That's after I got a new ticket with ktutil. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
