On Wed, 2023-06-07 at 14:35 +0200, Ronald Wimmer via FreeIPA-users
wrote:
> On 07.06.23 14:25, Simo Sorce via FreeIPA-users wrote:
> > On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users
> > wrote:
> > > On 19.09.17 12:07, Alexander Bokovoy wrote:
> > > > On ti, 19 syys 2017, Ronald Wimmer wrote:
> > > > > On 2017-09-19 11:53, Alexander Bokovoy wrote:
> > > > > > [...]
> > > > > > Please spend some time reading the documentation. It is vast and
> > > > > > has a
> > > > > > lot of answers to questions people keep asking on these lists.
> > > > >
> > > > > I've already spent some time reading the documentation. Since
> > > > > "ipa-getkeytab" worked I was not aware of the fact that "ipa-getkeytab
> > > > > -r" would need:
> > > > >
> > > > > ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com
> > > > > --hosts={node01.idm.example.com,node02.idm.example.com}
> > > > That's why I gave you these links as you have obviously didn't read
> > > > them.
> > > >
> > > > Glad that it works now.
> > >
> > > As we ran into this problem again it should be mentioned that restarting
> > > gssproxy.service can be necessary.
> > >
> > > In our case Apache was looking for a KVNO 1 whereas the actual file did
> > > already have version number 4.
> >
> >
> > FWIW, gssapi should pick up new keys in keytabs without the need to
> > restart.
>
> I had to fetch a new keytab for this particular host as the host was
> accidentally deleted in IPA. (would the old keytab file on the server
> still have worked after re-adding the host in IPA?)
Not really.
However for a server, if you re-key the principal you SHOULD preserve
the old key in the keytab and just add the new key in, not replace the
keytab.
Because any client that already has obtained a ticket for the server
will not go and refresh it until it expires. So if you just replace the
keytab you will have a communication breakout with exisitng clients
that can last hours (unless they delete and re-init their credential
cache).
The old key can be remove after all tickets are expired, the expiration
time used for TGT is a good measure to know for how long you should
keep the old key in (could be anythign from hours to days).
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
