Hi!

I've been doing backups using the tool like this:
ipa-backup --data --online

I didn't want any configuration to be backed up, since it is managed
from a chef recipe.

However, when I tried to recover the backup to a fresh FreeIPA
install, Kerberos (GSSAPI) broke — I can't authenticate myself
anywhere using Kerberos: CLI, HTTP, etc.

LDAP password-based authentication works alright.

After some googling and reading through the mailing list, I followed
this manual and updated all keytabs for all services — dirsrv, httpd,
kadmin: 
http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server

Then it broke  in a different way: for a correct session it says that
my session is expired or just does nothing, for an incorrect password
it responds with "password incorrect" (see screenshot).
https://yadi.sk/i/WVe8u1_ZpNh3w

For CLI it just says that the credentials are incorrect regardless of
what credentials I provide.

I suppose that all krbPrincipalKey fields are tied to some other
encryption key that is not included in data-only backup.

Could you please let me know how to regenerate krbPrincipalKey for all
users or how to work around this issue?

Best regards,
Marat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to