I still cannot login to the web UI. Here is what I did:
1. mv /etc/krb5.keytab /etc/krb5.keytab.save 2. kinit admin Password for admin@OPERA: 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k /etc/krb5.keytab 4. systemctl restart sssd.service 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k /etc/httpd/conf/ipa.keytab 7. systemctl restart httpd.service The log says now: Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA for krbtgt/OPERA@OPERA, Additional pre-authentication required On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On Fri, 02 Oct 2015, Fujisan wrote: > >> Well, I think I messed up when trying to configure cockpit to use >> kerberos. >> >> What should I do to fix this? >> >> I have this on the ipa server: >> $ klist -k >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 2 host/zaira2.opera@OPERA >> 2 host/zaira2.opera@OPERA >> 2 host/zaira2.opera@OPERA >> 2 host/zaira2.opera@OPERA >> 1 nfs/zaira2.opera@OPERA >> 1 nfs/zaira2.opera@OPERA >> 1 nfs/zaira2.opera@OPERA >> 1 nfs/zaira2.opera@OPERA >> 3 HTTP/zaira2.opera@OPERA >> 3 HTTP/zaira2.opera@OPERA >> 3 HTTP/zaira2.opera@OPERA >> 3 HTTP/zaira2.opera@OPERA >> >> You can start by: > 0. backup every file mentioned below > 1. Move /etc/krb5.keytab somewhere > 2. kinit as admin > 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab > 4. restart SSSD > 5. Move /etc/httpd/conf/ipa.keytab somewhere > 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k > /etc/httpd/conf/ipa.keytab > 7. Restart httpd > > Every time you run 'ipa-getkeytab', Kerberos key for the service > specified by you is replaced on the server side so that keys in the > keytabs become unusable. > > I guess cockpit instructions were for something that was not supposed to > run on IPA master. On IPA master there are already all needed services > (host/ and HTTP/) and their keytabs are in place. > > > >> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <aboko...@redhat.com> >> wrote: >> >> On Fri, 02 Oct 2015, Fujisan wrote: >>> >>> More info: >>>> >>>> I can initiate a ticket: >>>> $ kdestroy >>>> $ kinit admin >>>> >>>> but cannot view user admin: >>>> $ ipa user-show admin >>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>> Unauthorized >>>> >>>> $ ipactl status >>>> Directory Service: RUNNING >>>> krb5kdc Service: RUNNING >>>> kadmin Service: RUNNING >>>> named Service: RUNNING >>>> ipa_memcached Service: RUNNING >>>> httpd Service: RUNNING >>>> pki-tomcatd Service: RUNNING >>>> smb Service: RUNNING >>>> winbind Service: RUNNING >>>> ipa-otpd Service: RUNNING >>>> ipa-dnskeysyncd Service: RUNNING >>>> ipa: INFO: The ipactl command was successful >>>> >>>> /var/log/messages: >>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize >>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity >>>> check >>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>> >>>> What did you do? >>> >>> This and the log below about HTTP/zaira2.opera@OPERA show that you have >>> different keys in LDAP and in your keytab files for host/zaira2.opera >>> and HTTP/zaira2.opera principals. This might happen if somebody removed >>> the principals from LDAP (ipa service-del/ipa service-add, or ipa >>> host-del/ipa host-add) so that they become non-synchronized with >>> whatever you have in the keytab files. >>> >>> >>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> wrote: >>> >>>> >>>> Hello, >>>> >>>>> >>>>> I cannot login to the web UI anymore. >>>>> >>>>> The password or username you entered is incorrect. >>>>> >>>>> Log says: >>>>> >>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 >>>>> 17 >>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>> HTTP/zaira2.opera@OPERA >>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed >>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 >>>>> 17 >>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>> HTTP/zaira2.opera@OPERA >>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>>>> >>>>> >>>>> I have no idea what went wrong. >>>>> >>>>> What can I do? >>>>> >>>>> Regards, >>>>> Fuji >>>>> >>>>> >>>>> >>>>> -- >>> >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project