[Freeipa-users] IPA inaccessable after adding service principle
Martin Babinsky
mbabinsk at redhat.com
Mon Feb 15 16:51:02 UTC 2016
On 02/15/2016 04:41 PM, Sumit Bose wrote:
> On Mon, Feb 15, 2016 at 04:27:15PM +0100, Martin Juhl wrote:
>> Hi guys
>>
>> I've just installed a RHEL7 server with ipa-server 4.2.0...
>>
>> Everything seems to work fine, until I add a service principle:
>>
>> (Running on a client, after a kinit)
>>
>> [root at dantooine ~]# ipa-getkeytab -s naboo.outerrim.lan -p HTTP/naboo.outerrim.lan at OUTERRIM.LAN -k /etc/krb5.keytab
>> Keytab successfully retrieved and stored in: /etc/krb5.keytab
>
> ipa-getkeytab will always create a new key unless you use the --retrieve
> option.
>
> It looks like you call ipa-getkeytab on the host dantooine, so it will
> create a new key for naboo but save it on dantooine. So the keytab on
> naboo will still have the old key but the KDC will hand out service
> tickets with the new key which naboo does not know about.
>
> Please try to call ipa-getkeytab with the --retrieve option on naboo so
> that the new key is available on naboo as well.
>
> HTH
>
> bye,
> Sumit
>
>
You will also need to regenerate apache keytab since by using the
command you regenerate kerberos keys of HTTP service while leaving old
keys in IPA HTTP service keytab, hence the decrypt integrity check error
when using cli/webui.
on naboo.outerrim.lan, run:
"""
ipa-getkeytab -s naboo.outerrim.lan -p
HTTP/naboo.outerrim.lan at OUTERRIM.LAN -k /etc/httpd/conf/ipa.keytab
"""
and then either restart httpd service or run:
"""
kdestroy -c /var/run/httpd/ipa/krbcache/krb5ccache
"""
That should make webui and cli work again.
>>
>>
>> After running the command, the web-interface returns:
>>
>> The password or username you entered is incorrect.
>>
>> when I try to login, and the "ipa" command has stopped working as well (both on the server and client):
>>
>>
>> [root at dantooine ~]# ipa user-show admin
>> ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC returned error string: 2ND_TKT_SERVER)
>> [root at dantooine ~]#
>> [root at dantooine ~]# kdestroy
>> [root at dantooine ~]# kinit admin
>> Password for admin at OUTERRIM.LAN:
>> [root at dantooine ~]# ipa user-show admin
>> ipa: ERROR: cannot connect to 'https://naboo.outerrim.lan/ipa/json': Unauthorized
>>
>>
>> /var/log/httpd/error_log on the server gives me:
>>
>> ValueError: non-generic 'CCacheError' needs format=None; got format="(-1765328353, 'Decrypt integrity check failed')"
>>
>>
>> What did I do wrong here???
>>
>> Regards
>>
>> Martin Juhl
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list