I was going to ask about the ipa command error on the ipa server and how to fix it. But then I just tried again and it works.
$ ipa user-show admin User login: admin Last name: Administrator Home directory: /home/zaira/admin Login shell: /bin/bash UID: 1000 GID: 1000 Account disabled: False Password: True Member of groups: stagiaires, opera, ipausers, trust admins, admins, oldstaff Kerberos keys available: True SSH public key fingerprint: FA:76:85:EF:2A:D1:12:B9:A8:A4:F4:AE:45:B2:63:05 admin@ipasrv (ssh-dss) Before trying again, I just ran a 'dnf update' and rebooted the server on the new kernel (4.1.8-200.fc22.x86_64). On Mon, Oct 5, 2015 at 4:07 PM, Petr Vobornik <pvobo...@redhat.com> wrote: > On 10/05/2015 12:55 PM, Fujisan wrote: > >> It is actually on the ipa server that ipa commands are not working. On ipa >> clients, I do not have errors. >> >> >> >> On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <fujisa...@gmail.com> wrote: >> >> I just noticed I can log in to the web UI with user admin and his >>> password. >>> >>> But when I try to configure firefox to use kerberos, I click on "Install >>> Kerberos Configuration Firefox Extension" button, a message appears >>> saying >>> "Firefox prevented this site from asking you to install software on your >>> computer", so I click on the "Allow" button and then another message >>> appears "The add-on downloaded from this site could not be installed >>> because it appears to be corrupt.". >>> >> > Here you hit https://fedorahosted.org/freeipa/ticket/4906 > > Fix(will be in 4.2.2 release) for this ticket changes the procedure for > new versions of Firefox to a manual configuration. Basically the steps for > Firefox which are described on page > http://your-ipa.example.test/ipa/config/ssbrowser.html > > > >>> And the ipa commands are still not working. >>> $ ipa user-show admin >>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>> Unauthorized >>> >>> >>> On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <fujisa...@gmail.com> wrote: >>> >>> I uninstalled the ipa server and reinstalled it. Then restored the >>>> backup. >>>> And then the following: >>>> >>>> $ keyctl list @s >>>> 3 keys in keyring: >>>> 437165764: --alswrv 0 65534 keyring: _uid.0 >>>> 556579409: --alswrv 0 0 user: >>>> ipa_session_cookie:host/zaira2.opera@OPERA >>>> 286806445: ---lswrv 0 65534 keyring: _persistent.0 >>>> $ keyctl purge 556579409 >>>> purged 0 keys >>>> $ keyctl reap >>>> 0 keys reaped >>>> $ ipa user-show admin >>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>> Unauthorized >>>> $ keyctl list @s >>>> 3 keys in keyring: >>>> 437165764: --alswrv 0 65534 keyring: _uid.0 >>>> 556579409: --alswrv 0 0 user: >>>> ipa_session_cookie:host/zaira2.opera@OPERA >>>> 286806445: ---lswrv 0 65534 keyring: _persistent.0 >>>> >>>> It doesn't seem to purge or to reap. >>>> >>>> >>>> >>>> On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <fujisa...@gmail.com> wrote: >>>> >>>> Good morning, >>>>> >>>>> Any suggestion what I should do? >>>>> >>>>> I still have >>>>> >>>>> $ ipa user-show admin >>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>> Unauthorized >>>>> >>>>> >>>>> Regards. >>>>> >>>>> >>>>> On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <fujisa...@gmail.com> wrote: >>>>> >>>>> I only have this: >>>>>> >>>>>> $ keyctl list @s >>>>>> 1 key in keyring: >>>>>> 641467419: --alswrv 0 65534 keyring: _uid.0 >>>>>> $ >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy < >>>>>> aboko...@redhat.com> >>>>>> wrote: >>>>>> >>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>> >>>>>>> I forgot to mention that >>>>>>>> >>>>>>>> $ ipa user-show admin >>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>>>> Unauthorized >>>>>>>> >>>>>>>> This is most likely because of the cached session to your server. >>>>>>> >>>>>>> You can check if keyctl list @s >>>>>>> returns you something like >>>>>>> [root@m1 ~]# keyctl list @s >>>>>>> 2 keys in keyring: >>>>>>> 496745412: --alswrv 0 65534 keyring: _uid.0 >>>>>>> 215779962: --alswrv 0 0 user: >>>>>>> ipa_session_cookie:ad...@example.com >>>>>>> >>>>>>> If so, then notice the key number (215779962) for the session cookie, >>>>>>> and do: >>>>>>> keyctl purge 215779962 >>>>>>> keyctl reap >>>>>>> >>>>>>> This should make a next 'ipa ...' command run to ask for new cookie. >>>>>>> >>>>>>> >>>>>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <fujisa...@gmail.com> wrote: >>>>>>>> >>>>>>>> I still cannot login to the web UI. >>>>>>>> >>>>>>>>> >>>>>>>>> Here is what I did: >>>>>>>>> >>>>>>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save >>>>>>>>> 2. kinit admin >>>>>>>>> Password for admin@OPERA: >>>>>>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k >>>>>>>>> /etc/krb5.keytab >>>>>>>>> 4. systemctl restart sssd.service >>>>>>>>> 5. mv /etc/httpd/conf/ipa.keytab >>>>>>>>> /etc/httpd/conf/ipa.keytab.save >>>>>>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k >>>>>>>>> /etc/httpd/conf/ipa.keytab >>>>>>>>> 7. systemctl restart httpd.service >>>>>>>>> >>>>>>>>> >>>>>>>>> The log says now: >>>>>>>>> >>>>>>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes >>>>>>>>> {18 17 >>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy < >>>>>>>>> aboko...@redhat.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> Well, I think I messed up when trying to configure cockpit to use >>>>>>>>>> >>>>>>>>>>> kerberos. >>>>>>>>>>> >>>>>>>>>>> What should I do to fix this? >>>>>>>>>>> >>>>>>>>>>> I have this on the ipa server: >>>>>>>>>>> $ klist -k >>>>>>>>>>> Keytab name: FILE:/etc/krb5.keytab >>>>>>>>>>> KVNO Principal >>>>>>>>>>> ---- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -------------------------------------------------------------------------- >>>>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>>>> 2 host/zaira2.opera@OPERA >>>>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>>>>>> >>>>>>>>>>> You can start by: >>>>>>>>>>> >>>>>>>>>>> 0. backup every file mentioned below >>>>>>>>>> 1. Move /etc/krb5.keytab somewhere >>>>>>>>>> 2. kinit as admin >>>>>>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k >>>>>>>>>> /etc/krb5.keytab >>>>>>>>>> 4. restart SSSD >>>>>>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere >>>>>>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k >>>>>>>>>> /etc/httpd/conf/ipa.keytab >>>>>>>>>> 7. Restart httpd >>>>>>>>>> >>>>>>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service >>>>>>>>>> specified by you is replaced on the server side so that keys in >>>>>>>>>> the >>>>>>>>>> keytabs become unusable. >>>>>>>>>> >>>>>>>>>> I guess cockpit instructions were for something that was not >>>>>>>>>> supposed to >>>>>>>>>> run on IPA master. On IPA master there are already all needed >>>>>>>>>> services >>>>>>>>>> (host/ and HTTP/) and their keytabs are in place. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy < >>>>>>>>>> >>>>>>>>>>> aboko...@redhat.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> More info: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> I can initiate a ticket: >>>>>>>>>>>>> $ kdestroy >>>>>>>>>>>>> $ kinit admin >>>>>>>>>>>>> >>>>>>>>>>>>> but cannot view user admin: >>>>>>>>>>>>> $ ipa user-show admin >>>>>>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>>>>>>>>> Unauthorized >>>>>>>>>>>>> >>>>>>>>>>>>> $ ipactl status >>>>>>>>>>>>> Directory Service: RUNNING >>>>>>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>>>>>> kadmin Service: RUNNING >>>>>>>>>>>>> named Service: RUNNING >>>>>>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>>>>>> httpd Service: RUNNING >>>>>>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>>>>>> smb Service: RUNNING >>>>>>>>>>>>> winbind Service: RUNNING >>>>>>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>>>>>> >>>>>>>>>>>>> /var/log/messages: >>>>>>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to >>>>>>>>>>>>> initialize >>>>>>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt >>>>>>>>>>>>> integrity >>>>>>>>>>>>> check >>>>>>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>>>>>>>>>>> >>>>>>>>>>>>> What did you do? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> This and the log below about HTTP/zaira2.opera@OPERA show that >>>>>>>>>>>> you have >>>>>>>>>>>> different keys in LDAP and in your keytab files for >>>>>>>>>>>> host/zaira2.opera >>>>>>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody >>>>>>>>>>>> removed >>>>>>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or >>>>>>>>>>>> ipa >>>>>>>>>>>> host-del/ipa host-add) so that they become non-synchronized with >>>>>>>>>>>> whatever you have in the keytab files. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <fujisa...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Hello, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> I cannot login to the web UI anymore. >>>>>>>>>>>>>> >>>>>>>>>>>>>> The password or username you entered is incorrect. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Log says: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 >>>>>>>>>>>>>> etypes >>>>>>>>>>>>>> {18 17 >>>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication >>>>>>>>>>>>>> required >>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down >>>>>>>>>>>>>> fd 12 >>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>>>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check >>>>>>>>>>>>>> failed >>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 >>>>>>>>>>>>>> etypes >>>>>>>>>>>>>> {18 17 >>>>>>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>>>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>>>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>>>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down >>>>>>>>>>>>>> fd 12 >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have no idea what went wrong. >>>>>>>>>>>>>> >>>>>>>>>>>>>> What can I do? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards, >>>>>>>>>>>>>> Fuji >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>>>>> >>>>>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>> / Alexander Bokovoy >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>> / Alexander Bokovoy >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>> >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> / Alexander Bokovoy >>>>>>> >>>>>>> > > > -- > Petr Vobornik >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project