Good morning, Any suggestion what I should do? I still have
$ ipa user-show admin ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized Regards. On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote: > I only have this: > > $ keyctl list @s > 1 key in keyring: > 641467419: --alswrv 0 65534 keyring: _uid.0 > $ > > > > On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <aboko...@redhat.com> > wrote: > >> On Fri, 02 Oct 2015, Fujisan wrote: >> >>> I forgot to mention that >>> >>> $ ipa user-show admin >>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>> Unauthorized >>> >> This is most likely because of the cached session to your server. >> >> You can check if keyctl list @s >> returns you something like >> [root@m1 ~]# keyctl list @s >> 2 keys in keyring: >> 496745412: --alswrv 0 65534 keyring: _uid.0 >> 215779962: --alswrv 0 0 user: >> ipa_session_cookie:ad...@example.com >> >> If so, then notice the key number (215779962) for the session cookie, >> and do: >> keyctl purge 215779962 >> keyctl reap >> >> This should make a next 'ipa ...' command run to ask for new cookie. >> >> >>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote: >>> >>> I still cannot login to the web UI. >>>> >>>> Here is what I did: >>>> >>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save >>>> 2. kinit admin >>>> Password for admin@OPERA: >>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k >>>> /etc/krb5.keytab >>>> 4. systemctl restart sssd.service >>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save >>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k >>>> /etc/httpd/conf/ipa.keytab >>>> 7. systemctl restart httpd.service >>>> >>>> >>>> The log says now: >>>> >>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 >>>> 17 >>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA >>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>> >>>> >>>> >>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <aboko...@redhat.com> >>>> wrote: >>>> >>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>> >>>>> Well, I think I messed up when trying to configure cockpit to use >>>>>> kerberos. >>>>>> >>>>>> What should I do to fix this? >>>>>> >>>>>> I have this on the ipa server: >>>>>> $ klist -k >>>>>> Keytab name: FILE:/etc/krb5.keytab >>>>>> KVNO Principal >>>>>> ---- >>>>>> >>>>>> >>>>>> -------------------------------------------------------------------------- >>>>>> 2 host/zaira2.opera@OPERA >>>>>> 2 host/zaira2.opera@OPERA >>>>>> 2 host/zaira2.opera@OPERA >>>>>> 2 host/zaira2.opera@OPERA >>>>>> 1 nfs/zaira2.opera@OPERA >>>>>> 1 nfs/zaira2.opera@OPERA >>>>>> 1 nfs/zaira2.opera@OPERA >>>>>> 1 nfs/zaira2.opera@OPERA >>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>> >>>>>> You can start by: >>>>>> >>>>> 0. backup every file mentioned below >>>>> 1. Move /etc/krb5.keytab somewhere >>>>> 2. kinit as admin >>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab >>>>> 4. restart SSSD >>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere >>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k >>>>> /etc/httpd/conf/ipa.keytab >>>>> 7. Restart httpd >>>>> >>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service >>>>> specified by you is replaced on the server side so that keys in the >>>>> keytabs become unusable. >>>>> >>>>> I guess cockpit instructions were for something that was not supposed >>>>> to >>>>> run on IPA master. On IPA master there are already all needed services >>>>> (host/ and HTTP/) and their keytabs are in place. >>>>> >>>>> >>>>> >>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <aboko...@redhat.com >>>>>> > >>>>>> wrote: >>>>>> >>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>> >>>>>>> >>>>>>> More info: >>>>>>> >>>>>>>> >>>>>>>> I can initiate a ticket: >>>>>>>> $ kdestroy >>>>>>>> $ kinit admin >>>>>>>> >>>>>>>> but cannot view user admin: >>>>>>>> $ ipa user-show admin >>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>>>> Unauthorized >>>>>>>> >>>>>>>> $ ipactl status >>>>>>>> Directory Service: RUNNING >>>>>>>> krb5kdc Service: RUNNING >>>>>>>> kadmin Service: RUNNING >>>>>>>> named Service: RUNNING >>>>>>>> ipa_memcached Service: RUNNING >>>>>>>> httpd Service: RUNNING >>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>> smb Service: RUNNING >>>>>>>> winbind Service: RUNNING >>>>>>>> ipa-otpd Service: RUNNING >>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>> >>>>>>>> /var/log/messages: >>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to >>>>>>>> initialize >>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt >>>>>>>> integrity >>>>>>>> check >>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>>>>>> >>>>>>>> What did you do? >>>>>>>> >>>>>>> >>>>>>> This and the log below about HTTP/zaira2.opera@OPERA show that you >>>>>>> have >>>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera >>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody >>>>>>> removed >>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa >>>>>>> host-del/ipa host-add) so that they become non-synchronized with >>>>>>> whatever you have in the keytab files. >>>>>>> >>>>>>> >>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> wrote: >>>>>>> >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> >>>>>>>>> I cannot login to the web UI anymore. >>>>>>>>> >>>>>>>>> The password or username you entered is incorrect. >>>>>>>>> >>>>>>>>> Log says: >>>>>>>>> >>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>>>>> {18 17 >>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd >>>>>>>>> 12 >>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check >>>>>>>>> failed >>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>>>>> {18 17 >>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd >>>>>>>>> 12 >>>>>>>>> >>>>>>>>> >>>>>>>>> I have no idea what went wrong. >>>>>>>>> >>>>>>>>> What can I do? >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Fuji >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>> >>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> -- >>>>>>> / Alexander Bokovoy >>>>>>> >>>>>>> >>>>>>> -- >>>>> / Alexander Bokovoy >>>>> >>>>> >>>> >>>> >> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> -- >> / Alexander Bokovoy >> > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project