David Kupka wrote: > On 23/02/16 20:21, Marat Vyshegorodtsev wrote: >> Hi! >> >> I've been doing backups using the tool like this: >> ipa-backup --data --online >> >> I didn't want any configuration to be backed up, since it is managed >> from a chef recipe. >> >> However, when I tried to recover the backup to a fresh FreeIPA >> install, Kerberos (GSSAPI) broke — I can't authenticate myself >> anywhere using Kerberos: CLI, HTTP, etc. >> >> LDAP password-based authentication works alright. >> >> After some googling and reading through the mailing list, I followed >> this manual and updated all keytabs for all services — dirsrv, httpd, >> kadmin: >> http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server >> >> >> Then it broke in a different way: for a correct session it says that >> my session is expired or just does nothing, for an incorrect password >> it responds with "password incorrect" (see screenshot). >> https://yadi.sk/i/WVe8u1_ZpNh3w >> >> For CLI it just says that the credentials are incorrect regardless of >> what credentials I provide. >> >> I suppose that all krbPrincipalKey fields are tied to some other >> encryption key that is not included in data-only backup. >> >> Could you please let me know how to regenerate krbPrincipalKey for all >> users or how to work around this issue? >> >> Best regards, >> Marat >> > > Hello Marat, > I would say that this is expected. During freeipa-server installation > all service and host kerberos keys are generated randomly, stored in > Directory Server and in keytab accessible to the host/service. > When you reinstall freeipa-server all keys are regenerated and no longer > matches the ones stored in your backup. > > You can use ipa-getkeytab(1) with Directory Manager credentials to > retrieve new keys but think it's not enough to make it work again. > Hopefully, someone, who understand kerberos better will advice. >
It sounds like he already re-generated those keytabs. The Kerberos master key is stored in LDAP so you should already have it. Seeing the KDC and/or httpd logs might be useful. Are you just toying with this or did something go horribly wrong and you're trying to restore a production environment? The instructions you used were strictly a brain dump, something I goofed around with as an interesting thought project but didn't entirely nail down. It is quite possible I didn't document some important step in there. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project