Hi there,
i have been running an IPA install (4.5.0) on a CentOS 7 server for
quite a while and had some problems with it. Eventually everything got
worse and now it is not really usable anymore.
It started with someone accidentally shutting down the server. From that
point one of the services did not run anymore. Not 100% sure but i think
it was pki-tomcat. I "fixed" it temporarily by using the
'--ignore-service-failures' flag with ipactl. Everything seemed fine
until about one or two weeks ago.
Some Clients could sometimes not get kerberos tickets. I couldn't quite
figure out why.
I used 'ipa-backup --data' in hopes of restoring it on a fresh OS with
everything working again. Had to upgrade to IPA 4.6.6. It worked with
'ipa-restore --data --backend=userRoot'. 'kinit' works, but i can't use
any 'ipa ...' commands. Here an example:
```
[root@ipa01 ~]# ipa -v user-find --all
ipa: INFO: trying https://ipa01.example.com/ipa/json
ipa: INFO: [try 1]: Forwarding 'schema' to json server
'https://ipa01.example.com/ipa/json'
ipa: ERROR: No valid Negotiate header in server response
```
/var/log/httpd/error_log:
```
[Thu Jul 16 10:40:27.007724 2020] [auth_gssapi:error] [pid 2210] [client
xx.xx.xx.1:40920] GSS ERROR gss_acquire_cred[_from]() failed to get
server creds: [Unspecified GSS failure. Minor code may provide more
information ( SPNEGO cannot find mechanisms to negotiate)], referer:
https://ipa01.example.com/ipa/xml
```
/var/log/messages:
```
[...]
Jul 16 10:40:26 ipa01 gssproxy: [CID 14][2020/07/16 08:40:26]:
gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
euid: 48,socket: (null)
Jul 16 10:40:26 ipa01 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [
] } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
initiator_time_req: 0 acceptor_time_req: 0 )
Jul 16 10:40:26 ipa01 gssproxy: gssproxy[2408]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more
information, Preauthentication failed
Jul 16 10:40:26 ipa01 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968
{ 1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure. Minor
code may provide more information" "Preauthentication failed" [ ] }
output_cred_handle: <Null> )
Jul 16 10:40:26 ipa01 gssproxy: [CID 14][2020/07/16 08:40:26]:
gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "ipa-httpd",
euid: 48,socket: (null)
Jul 16 10:40:26 ipa01 gssproxy: GSSX_ARG_ACQUIRE_CRED( call_ctx: { "" [
] } input_cred_handle: <Null> add_cred: 0 desired_name: <Null> time_req:
4294967295 desired_mechs: { { 1 2 840 113554 1 2 2 } } cred_usage: BOTH
initiator_time_req: 0 acceptor_time_req: 0 )
Jul 16 10:40:27 ipa01 gssproxy: gssproxy[2408]: (OID: { 1 2 840 113554 1
2 2 }) Unspecified GSS failure. Minor code may provide more
information, Preauthentication failed
Jul 16 10:40:27 ipa01 gssproxy: GSSX_RES_ACQUIRE_CRED( status: { 851968
{ 1 2 840 113554 1 2 2 } 2529638936 "Unspecified GSS failure. Minor
code may provide more information" "Preauthentication failed" [ ] }
output_cred_handle: <Null> )
Jul 16 10:40:34 ipa01 [sssd[ldap_child[15047]]]: Failed to initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication
failed. Unable to create GSSAPI-encrypted LDAP connection.
[...]
```
Does anyone know how to fix this or debug it further? I still have a
snapshot of the old ipa machine if that helps.
I am also thinking about just backing up the user database (usernames
and passwords, everything else is nice but not required) and using a
fresh install with just the user data. I how much different this would
be from what i have done now to be honest.
Re-installing the clients is not much work for me, because it is well
automated and there are few clients anyway.
I hope this was not too long and convoluted. I'll be glad about any help.
Best regards
Lorenz
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
