It is actually on the ipa server that ipa commands are not working. On ipa clients, I do not have errors.
On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <[email protected]> wrote: > I just noticed I can log in to the web UI with user admin and his password. > > But when I try to configure firefox to use kerberos, I click on "Install > Kerberos Configuration Firefox Extension" button, a message appears saying > "Firefox prevented this site from asking you to install software on your > computer", so I click on the "Allow" button and then another message > appears "The add-on downloaded from this site could not be installed > because it appears to be corrupt.". > > And the ipa commands are still not working. > $ ipa user-show admin > ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': > Unauthorized > > > On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <[email protected]> wrote: > >> I uninstalled the ipa server and reinstalled it. Then restored the backup. >> And then the following: >> >> $ keyctl list @s >> 3 keys in keyring: >> 437165764: --alswrv 0 65534 keyring: _uid.0 >> 556579409: --alswrv 0 0 user: >> ipa_session_cookie:host/zaira2.opera@OPERA >> 286806445: ---lswrv 0 65534 keyring: _persistent.0 >> $ keyctl purge 556579409 >> purged 0 keys >> $ keyctl reap >> 0 keys reaped >> $ ipa user-show admin >> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >> Unauthorized >> $ keyctl list @s >> 3 keys in keyring: >> 437165764: --alswrv 0 65534 keyring: _uid.0 >> 556579409: --alswrv 0 0 user: >> ipa_session_cookie:host/zaira2.opera@OPERA >> 286806445: ---lswrv 0 65534 keyring: _persistent.0 >> >> It doesn't seem to purge or to reap. >> >> >> >> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <[email protected]> wrote: >> >>> Good morning, >>> >>> Any suggestion what I should do? >>> >>> I still have >>> >>> $ ipa user-show admin >>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>> Unauthorized >>> >>> >>> Regards. >>> >>> >>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <[email protected]> wrote: >>> >>>> I only have this: >>>> >>>> $ keyctl list @s >>>> 1 key in keyring: >>>> 641467419: --alswrv 0 65534 keyring: _uid.0 >>>> $ >>>> >>>> >>>> >>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <[email protected]> >>>> wrote: >>>> >>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>> >>>>>> I forgot to mention that >>>>>> >>>>>> $ ipa user-show admin >>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>> Unauthorized >>>>>> >>>>> This is most likely because of the cached session to your server. >>>>> >>>>> You can check if keyctl list @s >>>>> returns you something like >>>>> [root@m1 ~]# keyctl list @s >>>>> 2 keys in keyring: >>>>> 496745412: --alswrv 0 65534 keyring: _uid.0 >>>>> 215779962: --alswrv 0 0 user: >>>>> ipa_session_cookie:[email protected] >>>>> >>>>> If so, then notice the key number (215779962) for the session cookie, >>>>> and do: >>>>> keyctl purge 215779962 >>>>> keyctl reap >>>>> >>>>> This should make a next 'ipa ...' command run to ask for new cookie. >>>>> >>>>> >>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <[email protected]> wrote: >>>>>> >>>>>> I still cannot login to the web UI. >>>>>>> >>>>>>> Here is what I did: >>>>>>> >>>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save >>>>>>> 2. kinit admin >>>>>>> Password for admin@OPERA: >>>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k >>>>>>> /etc/krb5.keytab >>>>>>> 4. systemctl restart sssd.service >>>>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save >>>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k >>>>>>> /etc/httpd/conf/ipa.keytab >>>>>>> 7. systemctl restart httpd.service >>>>>>> >>>>>>> >>>>>>> The log says now: >>>>>>> >>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes >>>>>>> {18 17 >>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>> HTTP/zaira2.opera@OPERA >>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy < >>>>>>> [email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>>> >>>>>>>> Well, I think I messed up when trying to configure cockpit to use >>>>>>>>> kerberos. >>>>>>>>> >>>>>>>>> What should I do to fix this? >>>>>>>>> >>>>>>>>> I have this on the ipa server: >>>>>>>>> $ klist -k >>>>>>>>> Keytab name: FILE:/etc/krb5.keytab >>>>>>>>> KVNO Principal >>>>>>>>> ---- >>>>>>>>> >>>>>>>>> >>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>> >>>>>>>>> You can start by: >>>>>>>>> >>>>>>>> 0. backup every file mentioned below >>>>>>>> 1. Move /etc/krb5.keytab somewhere >>>>>>>> 2. kinit as admin >>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k >>>>>>>> /etc/krb5.keytab >>>>>>>> 4. restart SSSD >>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere >>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k >>>>>>>> /etc/httpd/conf/ipa.keytab >>>>>>>> 7. Restart httpd >>>>>>>> >>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service >>>>>>>> specified by you is replaced on the server side so that keys in the >>>>>>>> keytabs become unusable. >>>>>>>> >>>>>>>> I guess cockpit instructions were for something that was not >>>>>>>> supposed to >>>>>>>> run on IPA master. On IPA master there are already all needed >>>>>>>> services >>>>>>>> (host/ and HTTP/) and their keytabs are in place. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy < >>>>>>>>> [email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> More info: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I can initiate a ticket: >>>>>>>>>>> $ kdestroy >>>>>>>>>>> $ kinit admin >>>>>>>>>>> >>>>>>>>>>> but cannot view user admin: >>>>>>>>>>> $ ipa user-show admin >>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>>>>>>> Unauthorized >>>>>>>>>>> >>>>>>>>>>> $ ipactl status >>>>>>>>>>> Directory Service: RUNNING >>>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>>> named Service: RUNNING >>>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>>> httpd Service: RUNNING >>>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>>> smb Service: RUNNING >>>>>>>>>>> winbind Service: RUNNING >>>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>>> >>>>>>>>>>> /var/log/messages: >>>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to >>>>>>>>>>> initialize >>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt >>>>>>>>>>> integrity >>>>>>>>>>> check >>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>>>>>>>>> >>>>>>>>>>> What did you do? >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This and the log below about HTTP/zaira2.opera@OPERA show that >>>>>>>>>> you have >>>>>>>>>> different keys in LDAP and in your keytab files for >>>>>>>>>> host/zaira2.opera >>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody >>>>>>>>>> removed >>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa >>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with >>>>>>>>>> whatever you have in the keytab files. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> I cannot login to the web UI anymore. >>>>>>>>>>>> >>>>>>>>>>>> The password or username you entered is incorrect. >>>>>>>>>>>> >>>>>>>>>>>> Log says: >>>>>>>>>>>> >>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 >>>>>>>>>>>> etypes >>>>>>>>>>>> {18 17 >>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down >>>>>>>>>>>> fd 12 >>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check >>>>>>>>>>>> failed >>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 >>>>>>>>>>>> etypes >>>>>>>>>>>> {18 17 >>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down >>>>>>>>>>>> fd 12 >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I have no idea what went wrong. >>>>>>>>>>>> >>>>>>>>>>>> What can I do? >>>>>>>>>>>> >>>>>>>>>>>> Regards, >>>>>>>>>>>> Fuji >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> / Alexander Bokovoy >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>> / Alexander Bokovoy >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>> -- >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> Go to http://freeipa.org for more info on the project >>>>>> >>>>> >>>>> >>>>> -- >>>>> / Alexander Bokovoy >>>>> >>>> >>>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
