[Freeipa-users] ipa: ERROR: No valid Negotiate header in server response

[Grant Janssen via FreeIPA-users]

It appears I have resolved my certificate expiration 
issue
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/KFQXY6V4UKYOWCGD4YCZTCSGFWVL3QK7/


But I have a another issue

grant@ef-idm01:~[20240229-10:11][#772]$ klist
Ticket cache: KCM:555
Default principal: gr...@production.efilm.com

Valid starting   Expires  Service principal
02/29/2024 10:11:56  03/01/2024 09:42:34  
krbtgt/production.efilm@production.efilm.com
grant@ef-idm01:~[20240229-10:12][#773]$ ipa user-find roland
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240229-10:12][#774]$ ipa server-find
ipa: ERROR: No valid Negotiate header in server response
grant@ef-idm01:~[20240229-10:18][#775]$ sudo systemctl status gssproxy.service
[sudo] password for grant:
● gssproxy.service - GSSAPI Proxy Daemon
   Loaded: loaded (/usr/lib/systemd/system/gssproxy.service; disabled; vendor 
preset: disabled)
   Active: active (running) since Tue 2024-02-20 13:57:40 PST; 1 weeks 1 days 
ago
  Process: 2158008 ExecStart=/usr/sbin/gssproxy -D (code=exited, 
status=0/SUCCESS)
 Main PID: 2158009 (gssproxy)
Tasks: 6 (limit: 74714)
   Memory: 10.5M
   CGroup: /system.slice/gssproxy.service
   └─2158009 /usr/sbin/gssproxy -D

Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
gssproxy.service: Succeeded.
Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
Stopped GSSAPI Proxy Daemon.
Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
Starting GSSAPI Proxy Daemon...
Feb 20 13:57:40 
ef-idm01.production.efilm.com systemd[1]: 
Started GSSAPI Proxy Daemon.
grant@ef-idm01:~[20240229-10:18][#776]$

I searched online for some references and it was suggested I generate the 
/var/lib/ipa/gssproxy/http.keytab
The keytab file appears OKAY to me though.

I would like to get this issue behind me
thanx

- grant

--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] ipa: ERROR: No valid Negotiate header in server response

[Zarko Dudic via FreeIPA-users]

Hi there,

Seems I have to kinit every time in order to run ipa command, as a quick 
fix!?


The client is ipa-client-4.5.0-22.0.1.el7_4.x86_64
Servers are ipa-server-4.4.0-12.0.1.el7.x86_64

This has started recently and I am not able to track any changes that 
could cause this. This happens:


# kinit
# ipa -d -vv user-find  bob

- get good results. Then run same command again.

# ipa -d -vv user-find  bob

ipa: DEBUG: New HTTP connection (ldap03.pls.com)
ipa: DEBUG: HTTP connection destroyed (ldap03.pls.com)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 697, in 
single_request

    if not self._auth_complete(response):
  File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 657, in 
_auth_complete

    message=u"No valid Negotiate header in server response")
KerberosError: No valid Negotiate header in server response
ipa: ERROR: No valid Negotiate header in server response

[can provide more info if needed].


The kinit allows only next run to be successful.
I notice that problem occurs only with ldap03, ldap03 is called when 
running ipa for the second time. And after kinit, another servers are 
queried, not ldap03, hence no issue.
Another longer time 'fix' is in /etc/hosts, assigning IP (of another 
server) to ldap03, basically "avoiding" ldap03.


Any idea for troubleshoot is appreciated. Thanks in advance!


--
Thanks,
Zarko
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] ipa: ERROR: No valid Negotiate header in server response

[Matt . via FreeIPA-users]

Hello,

I'm facing an issue on my IPA server (currently 4.6.1, same happened on 4.5.4) 
with kerberos tickets. As  was investigating this and tried to add a server 
with a admin ticket I get the following on and the IPA server itself and on a 
client with freeipa-admintools as well:

$kinit admin
$klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ad...@domain.tld

Valid starting   Expires  Service principal
01/21/2018 22:52:35  01/22/2018 22:52:29  HTTP/ipa-01.domain@domain.tld
01/21/2018 22:52:30  01/22/2018 22:52:29  krbtgt/domain@domain.tld

$ipa service-add HTTP/client-01.domain@domain.tld
ipa: ERROR: No valid Negotiate header in server response

What is going wrong here ? I cannot find much about it.

Thanks,

Matt
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org