I've been doing backups using the tool like this:
ipa-backup --data --online
I didn't want any configuration to be backed up, since it is managed
from a chef recipe.
However, when I tried to recover the backup to a fresh FreeIPA
install, Kerberos (GSSAPI) broke — I can't authenticate myself
anywhere using Kerberos: CLI, HTTP, etc.
LDAP password-based authentication works alright.
After some googling and reading through the mailing list, I followed
this manual and updated all keytabs for all services — dirsrv, httpd,
Then it broke in a different way: for a correct session it says that
my session is expired or just does nothing, for an incorrect password
it responds with "password incorrect" (see screenshot).
For CLI it just says that the credentials are incorrect regardless of
what credentials I provide.
I suppose that all krbPrincipalKey fields are tied to some other
encryption key that is not included in data-only backup.
Could you please let me know how to regenerate krbPrincipalKey for all
users or how to work around this issue?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project