David Kupka wrote:
> On 23/02/16 20:21, Marat Vyshegorodtsev wrote:
>> Hi!
>> I've been doing backups using the tool like this:
>> ipa-backup --data --online
>> I didn't want any configuration to be backed up, since it is managed
>> from a chef recipe.
>> However, when I tried to recover the backup to a fresh FreeIPA
>> install, Kerberos (GSSAPI) broke — I can't authenticate myself
>> anywhere using Kerberos: CLI, HTTP, etc.
>> LDAP password-based authentication works alright.
>> After some googling and reading through the mailing list, I followed
>> this manual and updated all keytabs for all services — dirsrv, httpd,
>> kadmin:
>> http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server
>> Then it broke  in a different way: for a correct session it says that
>> my session is expired or just does nothing, for an incorrect password
>> it responds with "password incorrect" (see screenshot).
>> https://yadi.sk/i/WVe8u1_ZpNh3w
>> For CLI it just says that the credentials are incorrect regardless of
>> what credentials I provide.
>> I suppose that all krbPrincipalKey fields are tied to some other
>> encryption key that is not included in data-only backup.
>> Could you please let me know how to regenerate krbPrincipalKey for all
>> users or how to work around this issue?
>> Best regards,
>> Marat
> Hello Marat,
> I would say that this is expected. During freeipa-server installation
> all service and host kerberos keys are generated randomly, stored in
> Directory Server and in keytab accessible to the host/service.
> When you reinstall freeipa-server all keys are regenerated and no longer
> matches the ones stored in your backup.
> You can use ipa-getkeytab(1) with Directory Manager credentials to
> retrieve new keys but think it's not enough to make it work again.
> Hopefully, someone, who understand kerberos better will advice.

It sounds like he already re-generated those keytabs.

The Kerberos master key is stored in LDAP so you should already have it.
Seeing the KDC and/or httpd logs might be useful.

Are you just toying with this or did something go horribly wrong and
you're trying to restore a production environment?

The instructions you used were strictly a brain dump, something I goofed
around with as an interesting thought project but didn't entirely nail
down. It is quite possible I didn't document some important step in there.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to