Hi, On Fri, Feb 28, 2025 at 2:40 PM Frederic Ayrault <[email protected]> wrote:
> Bonjour, > > Sorry for the late answer, look like it is working (I put the log > hereafter) > > One of my replica is down because of electrical problems so I prefer to > wait before replacing /var/lib/ipa/gssproxy/http.keytab > > To avoid any replication issue, is there any precaution to take with the > replicas, > stop ipa using ipactl, poweroff the servers or someting else ? > The ipa-getkeytab -r operation does not write anything in LDAP, it just retrieves an existing value. It means you don't need to worry about the other replicas. flo > > I will do a copy of the VM after using ipa-backup, and just to be sure, is > this the only command I need to use ? > > Thank you > > Regards, > > Frederic > > [9489] 1740749040.198732: Getting initial credentials for > HTTP/[email protected] > [9489] 1740749040.198733: Looked up etypes in keytab: aes256-cts, > aes128-cts, des3-cbc-sha1, rc4-hmac, aes256-cts, aes128-cts, des3-cbc-sha1, > rc4-hmac > [9489] 1740749040.198735: Sending unauthenticated request > [9489] 1740749040.198736: Sending request (215 bytes) to > LIX.POLYTECHNIQUE.FR > [9489] 1740749040.198737: Initiating TCP connection to stream > 193.55.176.152:88 > [9489] 1740749040.198738: Sending TCP request to stream 193.55.176.152:88 > [9489] 1740749040.198739: Received answer (352 bytes) from stream > 193.55.176.152:88 > [9489] 1740749040.198740: Terminating TCP connection to stream > 193.55.176.152:88 > [9489] 1740749040.198741: Response was from master KDC > [9489] 1740749040.198742: Received error from KDC: -1765328359/Additional > pre-authentication required > [9489] 1740749040.198745: Preauthenticating using KDC method data > [9489] 1740749040.198746: Processing preauth types: PA-PK-AS-REQ (16), > PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), > PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE > (133) > [9489] 1740749040.198747: Selected etype info: etype aes256-cts, salt > "B(H"|0MI*@=l?gT\", params "" > [9489] 1740749040.198748: Received cookie: MIT > [9489] 1740749040.198749: PKINIT client has no configured identity; giving > up > [9489] 1740749040.198750: Preauth module pkinit (147) (info) returned: > 0/Success > [9489] 1740749040.198751: PKINIT client has no configured identity; giving > up > [9489] 1740749040.198752: Preauth module pkinit (16) (real) returned: > 22/Argument invalide > [9489] 1740749040.198753: PKINIT client has no configured identity; giving > up > [9489] 1740749040.198754: Preauth module pkinit (14) (real) returned: > 22/Argument invalide > [9489] 1740749040.198755: Retrieving > HTTP/[email protected] from > FILE:/tmp/gssproxy.keytab (vno 0, enctype aes256-cts) with result: > 0/Success > [9489] 1740749040.198756: AS key obtained for encrypted timestamp: > aes256-cts/E899 > [9489] 1740749040.198758: Encrypted timestamp (for 1740749040.204474): > plain 301AA011180F32303235303232383133323430305AA1050203031EBA, encrypted > AA600EB73834E7A15065157CD2A52F22879365F57DC6465EC1D35B0B696C398FAAB109EA583E0E56FE1E68ADA7AE7BE66F1C62EAF70E21C0 > [9489] 1740749040.198759: Preauth module encrypted_timestamp (2) (real) > returned: 0/Success > [9489] 1740749040.198760: Produced preauth for next request: PA-FX-COOKIE > (133), PA-ENC-TIMESTAMP (2) > [9489] 1740749040.198761: Sending request (310 bytes) to > LIX.POLYTECHNIQUE.FR > [9489] 1740749040.198762: Initiating TCP connection to stream > 193.55.176.152:88 > [9489] 1740749040.198763: Sending TCP request to stream 193.55.176.152:88 > [9489] 1740749040.198764: Received answer (815 bytes) from stream > 193.55.176.152:88 > [9489] 1740749040.198765: Terminating TCP connection to stream > 193.55.176.152:88 > [9489] 1740749040.198766: Response was from master KDC > [9489] 1740749040.198767: Processing preauth types: PA-ETYPE-INFO2 (19) > [9489] 1740749040.198768: Selected etype info: etype aes256-cts, salt > "B(H"|0MI*@=l?gT\", params "" > [9489] 1740749040.198769: Produced preauth for next request: (empty) > [9489] 1740749040.198770: AS key determined by preauth: aes256-cts/E899 > [9489] 1740749040.198771: Decrypted AS reply; session key is: > aes256-cts/6082 > [9489] 1740749040.198772: FAST negotiation: available > [9489] 1740749040.198773: Initializing KEYRING:persistent:0:0 with default > princ HTTP/[email protected] > [9489] 1740749040.198774: Storing > HTTP/[email protected] -> > krbtgt/[email protected] in KEYRING:persistent:0:0 > [9489] 1740749040.198775: Storing config in KEYRING:persistent:0:0 for > krbtgt/[email protected]: fast_avail: yes > [9489] 1740749040.198776: Storing > HTTP/[email protected] -> > krb5_ccache_conf_data/fast_avail/krbtgt\/LIX.POLYTECHNIQUE.FR > \@LIX.POLYTECHNIQUE.FR@X-CACHECONF: in KEYRING:persistent:0:0 > [9489] 1740749040.198777: Storing config in KEYRING:persistent:0:0 for > krbtgt/[email protected]: pa_type: 2 > [9489] 1740749040.198778: Storing > HTTP/[email protected] -> > krb5_ccache_conf_data/pa_type/krbtgt\/LIX.POLYTECHNIQUE.FR > \@LIX.POLYTECHNIQUE.FR@X-CACHECONF: in KEYRING:persistent:0:0 > > > > > Frédéric AYRAULT > Administrateur Systèmes et Réseaux > Laboratoire d'Informatique de l'Ecole polytechnique > <http://www.lix.polytechnique.fr> > [email protected] > > Le 26/02/2025 à 15:30, Florence Blanc-Renaud via FreeIPA-users a écrit : > > Hi Frederic, > > I see that there was an unwanted space in one of the commands I provided, > sorry about that: > ipa-getkeytab -r -p ' HTTP/[email protected]' > -D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab > > (just between the opening ' and HTTP). Please retry without this space: > ipa-getkeytab -r -p 'HTTP/[email protected]' > -D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab > > flo > > On Mon, Feb 24, 2025 at 10:19 AM Frederic Ayrault < > [email protected]> wrote: > >> Bonjour, >> >> Le 30/01/2025 à 21:11, Frederic Ayrault via FreeIPA-users a écrit : >> > Bonsoir, >> > >> > >> > Le 30/01/2025 à 20:58, Rob Crittenden a écrit : >> >> Frederic Ayrault via FreeIPA-users wrote: >> >>> Le 30/01/2025 à 13:48, Florence Blanc-Renaud a écrit : >> >>> >> >>>> try kinit with this one. >> >> Can you show us the exact command you used? >> > >> > I tried this one : >> > >> > KRB5_TRACE=/dev/stderr kinit -kt /tmp/gssproxy.keytab >> > HTTP/[email protected] >> >> is this the correct command ? >> >> if not, what should I try ? >> >> and if it is the good one, do you have an idea what is the problem ? >> >> > >> >> rob >> > >> > Thank you >> > >> > Regards, >> > >> > Frederic >> > >> >> >> >>> but this fails >> >>> >> >>> [13189] 1738244077.982026: Resolving unique ccache of type KEYRING >> >>> [13189] 1738244077.982027: Getting initial credentials for >> >>> HTTP/[email protected] >> >>> [13189] 1738244077.982028: Looked up etypes in keytab: (empty) >> >>> [13189] 1738244077.982029: Getting initial credentials for >> >>> HTTP/[email protected] >> >>> [13189] 1738244077.982030: Looked up etypes in keytab: (empty) >> >>> kinit: Keytab contains no suitable keys for >> >>> HTTP/[email protected] while getting >> >>> initial credentials >> >>> >> > >> >> Thank you for your help >> >> Regards, >> >> Frederic >> >> >> > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
