Frederic Ayrault via FreeIPA-users wrote: > > Le 30/01/2025 à 13:48, Florence Blanc-Renaud a écrit : >> Hi, >> >> the server is in a strange situation as it has in the file a keytab >> with kvno 2 but in the LDAP database kvno 1. >> This could happen if the keytab was renewed someday but there was an >> ipa-restore or re-initialize from other replicas which would not know >> of this new one. >> >> To fix the issue I would try to retrieve the keytab with kvno 1 with >> the following command: >> ipa-getkeytab -r -p ' >> HTTP/[email protected] >> <mailto:HTTP/[email protected]>' -D >> cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab > > this is ok > > Récupération du tableau de clés et stockage avec succès dans : > /tmp/gssproxy.keytab > >> >> The -r option is very important as it allows to retrieve the keytab >> (without the -r option, a new keytab gets generated). >> Then check that the new keytab has kvno 1 as expected with klist -kte >> /tmp/gssproxy.keytab, > > this also works > > Keytab name: FILE:/tmp/gssproxy.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 1 30/01/2025 14:33:57 > HTTP/[email protected] > (aes256-cts-hmac-sha1-96) > 1 30/01/2025 14:33:57 > HTTP/[email protected] > (aes128-cts-hmac-sha1-96) > 1 30/01/2025 14:33:57 > HTTP/[email protected] (des3-cbc-sha1) > 1 30/01/2025 14:33:57 > HTTP/[email protected] (arcfour-hmac) > > >> try kinit with this one.
Can you show us the exact command you used? rob > > but this fails > > [13189] 1738244077.982026: Resolving unique ccache of type KEYRING > [13189] 1738244077.982027: Getting initial credentials for > HTTP/[email protected] > [13189] 1738244077.982028: Looked up etypes in keytab: (empty) > [13189] 1738244077.982029: Getting initial credentials for > HTTP/[email protected] > [13189] 1738244077.982030: Looked up etypes in keytab: (empty) > kinit: Keytab contains no suitable keys for > HTTP/[email protected] while getting > initial credentials > > >> If it succeeds, replace the file /var/lib/ipa/gssproxy/http.keytab >> with /tmp/gssproxy.keytab (make a backup first) and restart ipa >> services with ipactl restart. >> >> You should also check that there is no replication issue between your >> servers. > > how is the best way to do it, ipa-replica-manage list-ruv ? all the > servers have the same values > and there are No CS-RUVs found (I also compare ldapsearch results > between servers) > >> >> flo >> > > Thank you > > Regards, > > Frederic > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
