I forgot to mention that $ ipa user-show admin ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized
On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote: > I still cannot login to the web UI. > > Here is what I did: > > 1. mv /etc/krb5.keytab /etc/krb5.keytab.save > 2. kinit admin > Password for admin@OPERA: > 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k > /etc/krb5.keytab > 4. systemctl restart sssd.service > 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save > 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k > /etc/httpd/conf/ipa.keytab > 7. systemctl restart httpd.service > > The log says now: > > Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17 > 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA > for krbtgt/OPERA@OPERA, Additional pre-authentication required > > > > On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On Fri, 02 Oct 2015, Fujisan wrote: >> >>> Well, I think I messed up when trying to configure cockpit to use >>> kerberos. >>> >>> What should I do to fix this? >>> >>> I have this on the ipa server: >>> $ klist -k >>> Keytab name: FILE:/etc/krb5.keytab >>> KVNO Principal >>> ---- >>> >>> -------------------------------------------------------------------------- >>> 2 host/zaira2.opera@OPERA >>> 2 host/zaira2.opera@OPERA >>> 2 host/zaira2.opera@OPERA >>> 2 host/zaira2.opera@OPERA >>> 1 nfs/zaira2.opera@OPERA >>> 1 nfs/zaira2.opera@OPERA >>> 1 nfs/zaira2.opera@OPERA >>> 1 nfs/zaira2.opera@OPERA >>> 3 HTTP/zaira2.opera@OPERA >>> 3 HTTP/zaira2.opera@OPERA >>> 3 HTTP/zaira2.opera@OPERA >>> 3 HTTP/zaira2.opera@OPERA >>> >>> You can start by: >> 0. backup every file mentioned below >> 1. Move /etc/krb5.keytab somewhere >> 2. kinit as admin >> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab >> 4. restart SSSD >> 5. Move /etc/httpd/conf/ipa.keytab somewhere >> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k >> /etc/httpd/conf/ipa.keytab >> 7. Restart httpd >> >> Every time you run 'ipa-getkeytab', Kerberos key for the service >> specified by you is replaced on the server side so that keys in the >> keytabs become unusable. >> >> I guess cockpit instructions were for something that was not supposed to >> run on IPA master. On IPA master there are already all needed services >> (host/ and HTTP/) and their keytabs are in place. >> >> >> >>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <aboko...@redhat.com> >>> wrote: >>> >>> On Fri, 02 Oct 2015, Fujisan wrote: >>>> >>>> More info: >>>>> >>>>> I can initiate a ticket: >>>>> $ kdestroy >>>>> $ kinit admin >>>>> >>>>> but cannot view user admin: >>>>> $ ipa user-show admin >>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>> Unauthorized >>>>> >>>>> $ ipactl status >>>>> Directory Service: RUNNING >>>>> krb5kdc Service: RUNNING >>>>> kadmin Service: RUNNING >>>>> named Service: RUNNING >>>>> ipa_memcached Service: RUNNING >>>>> httpd Service: RUNNING >>>>> pki-tomcatd Service: RUNNING >>>>> smb Service: RUNNING >>>>> winbind Service: RUNNING >>>>> ipa-otpd Service: RUNNING >>>>> ipa-dnskeysyncd Service: RUNNING >>>>> ipa: INFO: The ipactl command was successful >>>>> >>>>> /var/log/messages: >>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize >>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity >>>>> check >>>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>>> >>>>> What did you do? >>>> >>>> This and the log below about HTTP/zaira2.opera@OPERA show that you have >>>> different keys in LDAP and in your keytab files for host/zaira2.opera >>>> and HTTP/zaira2.opera principals. This might happen if somebody removed >>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa >>>> host-del/ipa host-add) so that they become non-synchronized with >>>> whatever you have in the keytab files. >>>> >>>> >>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> wrote: >>>> >>>>> >>>>> Hello, >>>>> >>>>>> >>>>>> I cannot login to the web UI anymore. >>>>>> >>>>>> The password or username you entered is incorrect. >>>>>> >>>>>> Log says: >>>>>> >>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>> {18 17 >>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>> HTTP/zaira2.opera@OPERA >>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed >>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>> {18 17 >>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>>> HTTP/zaira2.opera@OPERA >>>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>>>>> >>>>>> >>>>>> I have no idea what went wrong. >>>>>> >>>>>> What can I do? >>>>>> >>>>>> Regards, >>>>>> Fuji >>>>>> >>>>>> >>>>>> >>>>>> -- >>>> >>>>> Manage your subscription for the Freeipa-users mailing list: >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> Go to http://freeipa.org for more info on the project >>>>> >>>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> >>>> >> -- >> / Alexander Bokovoy >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project