subject:"Re\: \[Freeipa\-users\] IPA inaccessable after adding service principle"

Re: [Freeipa-users] IPA inaccessable after adding service principle

2016-02-15 Thread Martin Babinsky


On 02/15/2016 04:41 PM, Sumit Bose wrote:

On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:

Hi guys

I've just installed a RHEL7 server with ipa-server 4.2.0...

Everything seems to work fine, until I add a service principle:

(Running on a client, after a kinit)

[root@dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p 
HTTP/naboo.outerrim@outerrim.lan -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab


ipa-getkeytab will always create a new key unless you use the --retrieve
option.

It looks like you call ipa-getkeytab on the host dantooine, so it will
create a new key for naboo but save it on dantooine. So the keytab on
naboo will still have the old key but the KDC will hand out service
tickets with the new key which naboo does not know about.

Please try to call ipa-getkeytab with the --retrieve option on naboo so
that the new key is available on naboo as well.

HTH

bye,
Sumit




You will also need to regenerate apache keytab since by using the 
command you regenerate kerberos keys of HTTP service while leaving old 
keys in IPA HTTP service keytab, hence the decrypt integrity check error 
when using cli/webui.


on naboo.outerrim.lan, run:

"""
ipa-getkeytab -s naboo.outerrim.lan -p 
HTTP/naboo.outerrim@outerrim.lan -k /etc/httpd/conf/ipa.keytab

"""

and then either restart httpd service or run:

"""
kdestroy -c /var/run/httpd/ipa/krbcache/krb5ccache
"""

That should make webui and cli work again.





After running the command, the web-interface returns:

The password or username you entered is incorrect.

when I try to login, and the "ipa" command has stopped working as well (both on 
the server and client):


[root@dantooine ~]# ipa user-show admin
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (KDC returned 
error string: 2ND_TKT_SERVER)
[root@dantooine ~]#
[root@dantooine ~]# kdestroy
[root@dantooine ~]# kinit admin
Password for ad...@outerrim.lan:
[root@dantooine ~]# ipa user-show admin
ipa: ERROR: cannot connect to 'https://naboo.outerrim.lan/ipa/json': 
Unauthorized


/var/log/httpd/error_log on the server gives me:

ValueError: non-generic 'CCacheError' needs format=None; got format="(-1765328353, 
'Decrypt integrity check failed')"


What did I do wrong here???

Regards

Martin Juhl

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA inaccessable after adding service principle

2016-02-15 Thread Sumit Bose

On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
> Hi guys
> 
> I've just installed a RHEL7 server with ipa-server 4.2.0...
> 
> Everything seems to work fine, until I add a service principle:
> 
> (Running on a client, after a kinit)
> 
> [root@dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p 
> HTTP/naboo.outerrim@outerrim.lan -k /etc/krb5.keytab
> Keytab successfully retrieved and stored in: /etc/krb5.keytab

ipa-getkeytab will always create a new key unless you use the --retrieve
option.

It looks like you call ipa-getkeytab on the host dantooine, so it will
create a new key for naboo but save it on dantooine. So the keytab on
naboo will still have the old key but the KDC will hand out service
tickets with the new key which naboo does not know about.

Please try to call ipa-getkeytab with the --retrieve option on naboo so
that the new key is available on naboo as well.

HTH

bye,
Sumit


> 
> 
> After running the command, the web-interface returns:
> 
> The password or username you entered is incorrect.
> 
> when I try to login, and the "ipa" command has stopped working as well (both 
> on the server and client):
> 
> 
> [root@dantooine ~]# ipa user-show admin
> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (KDC 
> returned error string: 2ND_TKT_SERVER)
> [root@dantooine ~]# 
> [root@dantooine ~]# kdestroy
> [root@dantooine ~]# kinit admin
> Password for ad...@outerrim.lan: 
> [root@dantooine ~]# ipa user-show admin
> ipa: ERROR: cannot connect to 'https://naboo.outerrim.lan/ipa/json': 
> Unauthorized
> 
> 
> /var/log/httpd/error_log on the server gives me:
> 
> ValueError: non-generic 'CCacheError' needs format=None; got 
> format="(-1765328353, 'Decrypt integrity check failed')"
> 
> 
> What did I do wrong here???
> 
> Regards
> 
> Martin Juhl
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA inaccessable after adding service principle

Re: [Freeipa-users] IPA inaccessable after adding service principle

2 matches

Site Navigation

Mail list logo

Footer information