On 23/02/16 20:21, Marat Vyshegorodtsev wrote:
Hi!
I've been doing backups using the tool like this:
ipa-backup --data --online
I didn't want any configuration to be backed up, since it is managed
from a chef recipe.
However, when I tried to recover the backup to a fresh FreeIPA
install, Kerberos (GSSAPI) broke — I can't authenticate myself
anywhere using Kerberos: CLI, HTTP, etc.
LDAP password-based authentication works alright.
After some googling and reading through the mailing list, I followed
this manual and updated all keytabs for all services — dirsrv, httpd,
kadmin:
http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server
Then it broke in a different way: for a correct session it says that
my session is expired or just does nothing, for an incorrect password
it responds with "password incorrect" (see screenshot).
https://yadi.sk/i/WVe8u1_ZpNh3w
For CLI it just says that the credentials are incorrect regardless of
what credentials I provide.
I suppose that all krbPrincipalKey fields are tied to some other
encryption key that is not included in data-only backup.
Could you please let me know how to regenerate krbPrincipalKey for all
users or how to work around this issue?
Best regards,
Marat
Hello Marat,
I would say that this is expected. During freeipa-server installation
all service and host kerberos keys are generated randomly, stored in
Directory Server and in keytab accessible to the host/service.
When you reinstall freeipa-server all keys are regenerated and no longer
matches the ones stored in your backup.
You can use ipa-getkeytab(1) with Directory Manager credentials to
retrieve new keys but think it's not enough to make it work again.
Hopefully, someone, who understand kerberos better will advice.
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project