I just noticed I can log in to the web UI with user admin and his password.
But when I try to configure firefox to use kerberos, I click on "Install Kerberos Configuration Firefox Extension" button, a message appears saying "Firefox prevented this site from asking you to install software on your computer", so I click on the "Allow" button and then another message appears "The add-on downloaded from this site could not be installed because it appears to be corrupt.". And the ipa commands are still not working. $ ipa user-show admin ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisa...@gmail.com> wrote: > I uninstalled the ipa server and reinstalled it. Then restored the backup. > And then the following: > > $ keyctl list @s > 3 keys in keyring: > 437165764: --alswrv 0 65534 keyring: _uid.0 > 556579409: --alswrv 0 0 user: > ipa_session_cookie:host/zaira2.opera@OPERA > 286806445: ---lswrv 0 65534 keyring: _persistent.0 > $ keyctl purge 556579409 > purged 0 keys > $ keyctl reap > 0 keys reaped > $ ipa user-show admin > ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': > Unauthorized > $ keyctl list @s > 3 keys in keyring: > 437165764: --alswrv 0 65534 keyring: _uid.0 > 556579409: --alswrv 0 0 user: > ipa_session_cookie:host/zaira2.opera@OPERA > 286806445: ---lswrv 0 65534 keyring: _persistent.0 > > It doesn't seem to purge or to reap. > > > > On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisa...@gmail.com> wrote: > >> Good morning, >> >> Any suggestion what I should do? >> >> I still have >> >> $ ipa user-show admin >> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >> Unauthorized >> >> >> Regards. >> >> >> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote: >> >>> I only have this: >>> >>> $ keyctl list @s >>> 1 key in keyring: >>> 641467419: --alswrv 0 65534 keyring: _uid.0 >>> $ >>> >>> >>> >>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <aboko...@redhat.com> >>> wrote: >>> >>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>> >>>>> I forgot to mention that >>>>> >>>>> $ ipa user-show admin >>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>> Unauthorized >>>>> >>>> This is most likely because of the cached session to your server. >>>> >>>> You can check if keyctl list @s >>>> returns you something like >>>> [root@m1 ~]# keyctl list @s >>>> 2 keys in keyring: >>>> 496745412: --alswrv 0 65534 keyring: _uid.0 >>>> 215779962: --alswrv 0 0 user: >>>> ipa_session_cookie:ad...@example.com >>>> >>>> If so, then notice the key number (215779962) for the session cookie, >>>> and do: >>>> keyctl purge 215779962 >>>> keyctl reap >>>> >>>> This should make a next 'ipa ...' command run to ask for new cookie. >>>> >>>> >>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote: >>>>> >>>>> I still cannot login to the web UI. >>>>>> >>>>>> Here is what I did: >>>>>> >>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save >>>>>> 2. kinit admin >>>>>> Password for admin@OPERA: >>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k >>>>>> /etc/krb5.keytab >>>>>> 4. systemctl restart sssd.service >>>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save >>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k >>>>>> /etc/httpd/conf/ipa.keytab >>>>>> 7. systemctl restart httpd.service >>>>>> >>>>>> >>>>>> The log says now: >>>>>> >>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes >>>>>> {18 17 >>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>> HTTP/zaira2.opera@OPERA >>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy < >>>>>> aboko...@redhat.com> >>>>>> wrote: >>>>>> >>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>> >>>>>>> Well, I think I messed up when trying to configure cockpit to use >>>>>>>> kerberos. >>>>>>>> >>>>>>>> What should I do to fix this? >>>>>>>> >>>>>>>> I have this on the ipa server: >>>>>>>> $ klist -k >>>>>>>> Keytab name: FILE:/etc/krb5.keytab >>>>>>>> KVNO Principal >>>>>>>> ---- >>>>>>>> >>>>>>>> >>>>>>>> -------------------------------------------------------------------------- >>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>> >>>>>>>> You can start by: >>>>>>>> >>>>>>> 0. backup every file mentioned below >>>>>>> 1. Move /etc/krb5.keytab somewhere >>>>>>> 2. kinit as admin >>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab >>>>>>> 4. restart SSSD >>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere >>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k >>>>>>> /etc/httpd/conf/ipa.keytab >>>>>>> 7. Restart httpd >>>>>>> >>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service >>>>>>> specified by you is replaced on the server side so that keys in the >>>>>>> keytabs become unusable. >>>>>>> >>>>>>> I guess cockpit instructions were for something that was not >>>>>>> supposed to >>>>>>> run on IPA master. On IPA master there are already all needed >>>>>>> services >>>>>>> (host/ and HTTP/) and their keytabs are in place. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy < >>>>>>>> aboko...@redhat.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> More info: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> I can initiate a ticket: >>>>>>>>>> $ kdestroy >>>>>>>>>> $ kinit admin >>>>>>>>>> >>>>>>>>>> but cannot view user admin: >>>>>>>>>> $ ipa user-show admin >>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>>>>>> Unauthorized >>>>>>>>>> >>>>>>>>>> $ ipactl status >>>>>>>>>> Directory Service: RUNNING >>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>> named Service: RUNNING >>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>> httpd Service: RUNNING >>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>> smb Service: RUNNING >>>>>>>>>> winbind Service: RUNNING >>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>> >>>>>>>>>> /var/log/messages: >>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to >>>>>>>>>> initialize >>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt >>>>>>>>>> integrity >>>>>>>>>> check >>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>>>>>>>> >>>>>>>>>> What did you do? >>>>>>>>>> >>>>>>>>> >>>>>>>>> This and the log below about HTTP/zaira2.opera@OPERA show that >>>>>>>>> you have >>>>>>>>> different keys in LDAP and in your keytab files for >>>>>>>>> host/zaira2.opera >>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody >>>>>>>>> removed >>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa >>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with >>>>>>>>> whatever you have in the keytab files. >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> I cannot login to the web UI anymore. >>>>>>>>>>> >>>>>>>>>>> The password or username you entered is incorrect. >>>>>>>>>>> >>>>>>>>>>> Log says: >>>>>>>>>>> >>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 >>>>>>>>>>> etypes >>>>>>>>>>> {18 17 >>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down >>>>>>>>>>> fd 12 >>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check >>>>>>>>>>> failed >>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 >>>>>>>>>>> etypes >>>>>>>>>>> {18 17 >>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down >>>>>>>>>>> fd 12 >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I have no idea what went wrong. >>>>>>>>>>> >>>>>>>>>>> What can I do? >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Fuji >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> -- >>>>>>>>> / Alexander Bokovoy >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>> / Alexander Bokovoy >>>>>>> >>>>>>> >>>>>> >>>>>> >>>> -- >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
