On 23/02/16 20:21, Marat Vyshegorodtsev wrote:

I've been doing backups using the tool like this:
ipa-backup --data --online

I didn't want any configuration to be backed up, since it is managed
from a chef recipe.

However, when I tried to recover the backup to a fresh FreeIPA
install, Kerberos (GSSAPI) broke — I can't authenticate myself
anywhere using Kerberos: CLI, HTTP, etc.

LDAP password-based authentication works alright.

After some googling and reading through the mailing list, I followed
this manual and updated all keytabs for all services — dirsrv, httpd,

Then it broke  in a different way: for a correct session it says that
my session is expired or just does nothing, for an incorrect password
it responds with "password incorrect" (see screenshot).

For CLI it just says that the credentials are incorrect regardless of
what credentials I provide.

I suppose that all krbPrincipalKey fields are tied to some other
encryption key that is not included in data-only backup.

Could you please let me know how to regenerate krbPrincipalKey for all
users or how to work around this issue?

Best regards,

Hello Marat,
I would say that this is expected. During freeipa-server installation all service and host kerberos keys are generated randomly, stored in Directory Server and in keytab accessible to the host/service. When you reinstall freeipa-server all keys are regenerated and no longer matches the ones stored in your backup.

You can use ipa-getkeytab(1) with Directory Manager credentials to retrieve new keys but think it's not enough to make it work again.
Hopefully, someone, who understand kerberos better will advice.

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to