[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly

Wed Feb 24 12:29:49 UTC 2016

On 23/02/16 20:21, Marat Vyshegorodtsev wrote:
> Hi!
>
> I've been doing backups using the tool like this:
> ipa-backup --data --online
>
> I didn't want any configuration to be backed up, since it is managed
> from a chef recipe.
>
> However, when I tried to recover the backup to a fresh FreeIPA
> install, Kerberos (GSSAPI) broke — I can't authenticate myself
> anywhere using Kerberos: CLI, HTTP, etc.
>
> LDAP password-based authentication works alright.
>
> After some googling and reading through the mailing list, I followed
> this manual and updated all keytabs for all services — dirsrv, httpd,
> kadmin: http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server
>
> Then it broke  in a different way: for a correct session it says that
> my session is expired or just does nothing, for an incorrect password
> it responds with "password incorrect" (see screenshot).
> https://yadi.sk/i/WVe8u1_ZpNh3w
>
> For CLI it just says that the credentials are incorrect regardless of
> what credentials I provide.
>
> I suppose that all krbPrincipalKey fields are tied to some other
> encryption key that is not included in data-only backup.
>
> Could you please let me know how to regenerate krbPrincipalKey for all
> users or how to work around this issue?
>
> Best regards,
> Marat
>

Hello Marat,
I would say that this is expected. During freeipa-server installation 
all service and host kerberos keys are generated randomly, stored in 
Directory Server and in keytab accessible to the host/service.
When you reinstall freeipa-server all keys are regenerated and no longer 
matches the ones stored in your backup.

You can use ipa-getkeytab(1) with Directory Manager credentials to 
retrieve new keys but think it's not enough to make it work again.
Hopefully, someone, who understand kerberos better will advice.

-- 
David Kupka