[email protected] wrote: >> Got what new ticket? IPA provides its own tooling for managing keytabs, >> ipa-getkeytab. > > I kept saying ticket. I meant keytab. I used ktutil to get new keytab entries. > >> On another system you might try kvno to see what IPA thinks the principal >> version should be with just kvno ldap/<hostname> > > On a client server, it says: > > root@cumulus etc $ kvno ldap/pacific.caps.int > ldap/[email protected]: kvno = 2 > > which matches kvno = 2 on Pacific, the IPA server. > > root@pacific ~ $ kvno ldap/pacific.caps.int > ldap/[email protected]: kvno = 2 > >> Is this your only IPA server? > > Yes, only IPA server is Pacific.
I'm not sure what happened originally nor if using ktutil broke things further. We typically don't recommend directly using Kerberos utilities in favor of using IPA-provided commands. The Kerberos utilities are not well-tested for interoperability with IPA. Not saying that's related but we don't test it. You might try using ipa-getkeytab to get a new ds.keytab key version but with the ldap keytab being bad I'm doubtful that this will succeed. It's a chicken-and-egg scenario. rob > > Thanks, > Bryan > > > -----Original Message----- > From: Rob Crittenden <[email protected]> > Sent: Friday, July 19, 2024 7:32 AM > To: [email protected]; 'FreeIPA users list' > <[email protected]> > Subject: Re: [Freeipa-users] GSSAPI authentication failure > > [email protected] wrote: >> (Resending this email, files were too large) >> >> Sorry for the delayed reply. I was on vacation for a few days. >> >>> Please show us the KDC log when you are provoking a failure. >> >> I'm attaching the slapd access, slapd error, krb5kdb.log and kadmind.log. >> The only thing of note I see in those logs is in the slapd access log: >> >> [11/Jul/2024:17:32:01.528294151 -0500] conn=57224 op=1 RESULT err=49 >> tag=97 nentries=0 wtime=0.000076683 optime=0.265358256 >> etime=0.265415438 - SASL(-13): authentication failure: GSSAPI Failure: >> gss_accept_sec_context >> >> which shows up often. >> >>> I'm not sure what ticket you're referring to, unless you mean a TGT. >> >> I think GSSAPI errors may be related to this ticket issue showing "keytab >> entry invalid": >> >> root@pacific ~ $ klist -kte /etc/dirsrv/ds.keytab Keytab name: >> FILE:/etc/dirsrv/ds.keytab >> KVNO Timestamp Principal >> ---- ------------------- >> ------------------------------------------------------ >> 2 07/11/2024 18:54:19 ldap/[email protected] >> (aes256-cts-hmac-sha1-96) >> 2 07/11/2024 19:44:09 ldap/[email protected] >> (aes128-cts-hmac-sha1-96) root@pacific ~ $ kvno -k >> /etc/dirsrv/ds.keytab ldap/pacific.caps.int >> ldap/[email protected]: kvno = 2, keytab entry invalid >> kvno: Wrong principal in request while decrypting ticket for >> ldap/[email protected] >> >> That's after I got a new ticket with ktutil. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
