On 08/30/2017 04:44 PM, Julien Honore via FreeIPA-users wrote:
Hi Flo,

When I try to apply the command. the result is:

ipa-getkeytab --principal=host/$vltws01.vit....@vit.lan
Usage: ipa-getkeytab [-qPr?] [-q|--quiet] [-s|--server=Server Name]
         [-p|--principal=Kerberos Service Principal Name]
         [-k|--keytab=Keytab File Name]
         [-e|--enctypes=Comma separated encryption types list]
         [--permitted-enctypes] [-P|--password]
         [-D|--binddn=DN to bind as if not using kerberos]
         [-w|--bindpw=password to use if not using kerberos] [-r|--retrieve]
         [-?|--help] [--usage]

I tried with a different way

ipa-getkeytab -p host/vltws01.vit.lan
Usage: ipa-getkeytab [-qPr?] [-q|--quiet] [-s|--server=Server Name]
         [-p|--principal=Kerberos Service Principal Name]
         [-k|--keytab=Keytab File Name]
         [-e|--enctypes=Comma separated encryption types list]
         [--permitted-enctypes] [-P|--password]
         [-D|--binddn=DN to bind as if not using kerberos]
         [-w|--bindpw=password to use if not using kerberos] [-r|--retrieve]
         [-?|--help] [--usage]

And when I tried with the ipa-server, I have this result:

ipa-getkeytab -s auth0.vit.lan -p host/vltws01.vit.lan -k /etc/krb5.keytab
Kerberos User Principal not found. Do you have a valid Credential Cache?

Hi,

you need to provide -D "cn=directory manager" -w <directory manager password> if you do not have a valid kerberos ticket when you run ipa-getkeytab. You may want to refer to ipa-getkeytab man page for the full description of the required parameters.

HTH,
Flo
Like I said at the beginning, I changed the date on the IPA-Server and the 
users can continue to work.

I don't understant why the certificates did not auto renew after they were 
expired.

Thank you.

Julien Honore

----- Original Message -----
From: "Florence Blanc-Renaud" <f...@redhat.com>
To: "Julien Honore" <jhon...@bmad.tech>, "freeipa-users" 
<freeipa-users@lists.fedorahosted.org>
Sent: Wednesday, 30 August, 2017 09:11:00
Subject: Re: [Freeipa-users] Freeipa Certficates issues

On 08/29/2017 06:43 PM, Julien Honore wrote:
Hi Florence,

Thank you for the reply.

When I execute the command sudo kinit -kt /etc/krb5.keytab
the result is :
kinit: Clients credentials have been revoked while getting initial credentials

When I try the command ipa-getkeytab, I don't have the same option.

Hi,

(putting mailing list back in the recipients list)
you are right, the --retrieve option was added only in IPA 4.x.

If you run ipa-getkeytab without the -r option, it will request a new
host keytab (all other keytabs previously obtained will be invalidated).
So this should unblock certmonger, but if you were using the host keytab
in other places you will need to overwrite them with the new keytab.

Flo

Thank you.

Julien Honore.

----- Original Message -----
From: "Florence Blanc-Renaud" <f...@redhat.com>
To: "freeipa-users" <freeipa-users@lists.fedorahosted.org>
Cc: "Julien Honore" <jhon...@bmad.tech>
Sent: Tuesday, 29 August, 2017 12:14:10
Subject: Re: [Freeipa-users] Freeipa Certficates issues

On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote:

Hi,

I have an issue with my freeipa server.

The certificates expired and I can't resubmit.

I put the date before the expiration of the certs.

The result of ipa-getcert list :


Number of certificates and requests being tracked: 8.
Request ID '20150805183502':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:35:02 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183539':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:35:39 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20150805183647':
status: MONITORING
ca-error: Error setting up ccache for "host" service on client using
default keytab: Clients credentials have been revoked.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=VIT.LAN
subject: CN=auth0.vit.lan,O=VIT.LAN
expires:2017-08-05 18 <callto:2017-08-05 18>:36:47 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes

If someone can help me with this issue ? It will be very helpful

Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
ADTRUST Service: RUNNING
EXTID Service: RUNNING

FreeIpa V3.

Thank you

Julien Honore
        





_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

I have very little experience with IPA v3, but let's try anyway... If
things didn't change too much, certmonger's IPA helper is using
/etc/krb5.keytab to connect to IPA server. Can you check if this keytab
is still valid using
$ sudo kinit -kt /etc/krb5.keytab

If the operation fails, this is probably the root cause of your issue.
The utility ipa-getkeytab will allow you to get the host keytab (with
the --retrieve option and --principal=host/$HOSTNAME@$DOMAINNAME).

HTH,
Flo

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to