[Freeipa-users] dirsrv keytab revoked

Simo Sorce simo at redhat.com
Fri May 29 13:12:22 UTC 2015 

On Fri, 2015-05-29 at 10:06 +0200, Martin Kosek wrote:
> On 05/29/2015 07:48 AM, Christoph Kaminski wrote:
> > Hi
> >
> > I have had a defect entries in ldap for a replica and deleted them. But now the
> > dirsrv keytab (/etc/dirsrv/ds.keytab) doesnt work anymore (revoked). The
> > replica starts but it cant connect other replicas (but other replicas can
> > connect to it).
> >
> > I have tried:
> > kinit -k -t /etc/dirsrv/ds.keytab ldap/ipa-1.mgmt.testsystem-homemonitoring.int
> >
> > and got:
> > kinit: Clients credentials have been revoked while getting initial credentials
> >
> > It is possible to 'regenerate' this keytab? If yes how? Simple ipa-getkeytab
> > (on this replica) doesnt work.
> 
> Running ipa-getkeytab on this replica is tricky - as if replication is down and 
> you do this, the old key is revoked and new one is generated - which is not 
> known for the other master as replication is not working and you get in a 
> strange situation.
> 
> You can try to log to your active master, do ipa-getkeytab for the broken 
> replica, copy the keytab there, restart DS and then run re-initialize to reload 
> all the data from active master. It may work.

No need to login and copy stuff, just point ipa-getkeytab at the other
master with the -s switch. Once you've done that, restart the replica,
however there are chances it will then try to get a TGT to replicate
against the local KDC and it will fail because the local KDC has the old
key. One way to help this is to temporarily change krb5.conf to
explicitly point to a "good" replica so that KDC operations will be
handled by that other replica, restart all IPA components and make sure
a round of replication happens. Then restore the krb5.conf file and
restart all.

> > Or it is better to destroy it and do a new install?
> 
> That may be even faster for the making that particular replica up and running 
> again, if you do not want to dig too much in this issue.

If the play above doesn't help, it will be simpler to reinstall the
replica indeed.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list