On 02/15/2016 04:41 PM, Sumit Bose wrote:
On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
Hi guys
I've just installed a RHEL7 server with ipa-server 4.2.0...
Everything seems to work fine, until I add a service principle:
(Running on a client, after a kinit)
[root@dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p
HTTP/naboo.outerrim....@outerrim.lan -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab
ipa-getkeytab will always create a new key unless you use the --retrieve
option.
It looks like you call ipa-getkeytab on the host dantooine, so it will
create a new key for naboo but save it on dantooine. So the keytab on
naboo will still have the old key but the KDC will hand out service
tickets with the new key which naboo does not know about.
Please try to call ipa-getkeytab with the --retrieve option on naboo so
that the new key is available on naboo as well.
HTH
bye,
Sumit
You will also need to regenerate apache keytab since by using the
command you regenerate kerberos keys of HTTP service while leaving old
keys in IPA HTTP service keytab, hence the decrypt integrity check error
when using cli/webui.
on naboo.outerrim.lan, run:
"""
ipa-getkeytab -s naboo.outerrim.lan -p
HTTP/naboo.outerrim....@outerrim.lan -k /etc/httpd/conf/ipa.keytab
"""
and then either restart httpd service or run:
"""
kdestroy -c /var/run/httpd/ipa/krbcache/krb5ccache
"""
That should make webui and cli work again.
After running the command, the web-interface returns:
The password or username you entered is incorrect.
when I try to login, and the "ipa" command has stopped working as well (both on
the server and client):
[root@dantooine ~]# ipa user-show admin
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (KDC returned
error string: 2ND_TKT_SERVER)
[root@dantooine ~]#
[root@dantooine ~]# kdestroy
[root@dantooine ~]# kinit admin
Password for ad...@outerrim.lan:
[root@dantooine ~]# ipa user-show admin
ipa: ERROR: cannot connect to 'https://naboo.outerrim.lan/ipa/json':
Unauthorized
/var/log/httpd/error_log on the server gives me:
ValueError: non-generic 'CCacheError' needs format=None; got format="(-1765328353,
'Decrypt integrity check failed')"
What did I do wrong here???
Regards
Martin Juhl
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
