[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly
Marat Vyshegorodtsev
marat.vyshegorodtsev at gmail.com
Tue Feb 23 19:21:41 UTC 2016
Hi!
I've been doing backups using the tool like this:
ipa-backup --data --online
I didn't want any configuration to be backed up, since it is managed
from a chef recipe.
However, when I tried to recover the backup to a fresh FreeIPA
install, Kerberos (GSSAPI) broke — I can't authenticate myself
anywhere using Kerberos: CLI, HTTP, etc.
LDAP password-based authentication works alright.
After some googling and reading through the mailing list, I followed
this manual and updated all keytabs for all services — dirsrv, httpd,
kadmin: http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server
Then it broke in a different way: for a correct session it says that
my session is expired or just does nothing, for an incorrect password
it responds with "password incorrect" (see screenshot).
https://yadi.sk/i/WVe8u1_ZpNh3w
For CLI it just says that the credentials are incorrect regardless of
what credentials I provide.
I suppose that all krbPrincipalKey fields are tied to some other
encryption key that is not included in data-only backup.
Could you please let me know how to regenerate krbPrincipalKey for all
users or how to work around this issue?
Best regards,
Marat
More information about the Freeipa-users
mailing list