[Freeipa-users] IPA inaccessable after adding service principle

Sumit Bose sbose at redhat.com
Mon Feb 15 15:41:46 UTC 2016 

On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
> Hi guys
> 
> I've just installed a RHEL7 server with ipa-server 4.2.0...
> 
> Everything seems to work fine, until I add a service principle:
> 
> (Running on a client, after a kinit)
> 
> [root at dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p HTTP/naboo.outerrim.lan at OUTERRIM.LAN -k /etc/krb5.keytab
> Keytab successfully retrieved and stored in: /etc/krb5.keytab

ipa-getkeytab will always create a new key unless you use the --retrieve
option.

It looks like you call ipa-getkeytab on the host dantooine, so it will
create a new key for naboo but save it on dantooine. So the keytab on
naboo will still have the old key but the KDC will hand out service
tickets with the new key which naboo does not know about.

Please try to call ipa-getkeytab with the --retrieve option on naboo so
that the new key is available on naboo as well.

HTH

bye,
Sumit


> 
> 
> After running the command, the web-interface returns:
> 
> The password or username you entered is incorrect.
> 
> when I try to login, and the "ipa" command has stopped working as well (both on the server and client):
> 
> 
> [root at dantooine ~]# ipa user-show admin
> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (KDC returned error string: 2ND_TKT_SERVER)
> [root at dantooine ~]# 
> [root at dantooine ~]# kdestroy
> [root at dantooine ~]# kinit admin
> Password for admin at OUTERRIM.LAN: 
> [root at dantooine ~]# ipa user-show admin
> ipa: ERROR: cannot connect to 'https://naboo.outerrim.lan/ipa/json': Unauthorized
> 
> 
> /var/log/httpd/error_log on the server gives me:
> 
> ValueError: non-generic 'CCacheError' needs format=None; got format="(-1765328353, 'Decrypt integrity check failed')"
> 
> 
> What did I do wrong here???
> 
> Regards
> 
> Martin Juhl
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list