On Fri, 02 Oct 2015, Fujisan wrote:
Well, I think I messed up when trying to configure cockpit to use kerberos.

What should I do to fix this?

I have this on the ipa server:
$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
  2 host/zaira2.opera@OPERA
  2 host/zaira2.opera@OPERA
  2 host/zaira2.opera@OPERA
  2 host/zaira2.opera@OPERA
  1 nfs/zaira2.opera@OPERA
  1 nfs/zaira2.opera@OPERA
  1 nfs/zaira2.opera@OPERA
  1 nfs/zaira2.opera@OPERA
  3 HTTP/zaira2.opera@OPERA
  3 HTTP/zaira2.opera@OPERA
  3 HTTP/zaira2.opera@OPERA
  3 HTTP/zaira2.opera@OPERA

You can start by:
0. backup every file mentioned below
1. Move /etc/krb5.keytab somewhere
2. kinit as admin
3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab
4. restart SSSD
5. Move /etc/httpd/conf/ipa.keytab somewhere
6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k /etc/httpd/conf/ipa.keytab
7. Restart httpd

Every time you run 'ipa-getkeytab', Kerberos key for the service
specified by you is replaced on the server side so that keys in the
keytabs become unusable.

I guess cockpit instructions were for something that was not supposed to
run on IPA master. On IPA master there are already all needed services
(host/ and HTTP/) and their keytabs are in place.


On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

On Fri, 02 Oct 2015, Fujisan wrote:

More info:

I can initiate a ticket:
$ kdestroy
$ kinit admin

but cannot view user admin:
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
Unauthorized

$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

/var/log/messages:
Oct  2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity
check
failed. Unable to create GSSAPI-encrypted LDAP connection.

What did you do?

This and the log below about HTTP/zaira2.opera@OPERA show that you have
different keys in LDAP and in your keytab files for host/zaira2.opera
and HTTP/zaira2.opera principals. This might happen if somebody removed
the principals from LDAP (ipa service-del/ipa service-add, or ipa
host-del/ipa host-add) so that they become non-synchronized with
whatever you have in the keytab files.


On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> wrote:

Hello,

I cannot login to the web UI anymore.

The password or username you entered is incorrect.

Log says:

Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA
for krbtgt/OPERA@OPERA, Additional pre-authentication required
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17
16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera@OPERA
for krbtgt/OPERA@OPERA, Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12


I have no idea what went wrong.

What can I do?

​Regards,
Fuji​



--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to