[Freeipa-users] Recovering from data-only backup doesn't recover Kerberos keys properly
Rob Crittenden
rcritten at redhat.com
Wed Feb 24 14:07:03 UTC 2016
David Kupka wrote:
> On 23/02/16 20:21, Marat Vyshegorodtsev wrote:
>> Hi!
>>
>> I've been doing backups using the tool like this:
>> ipa-backup --data --online
>>
>> I didn't want any configuration to be backed up, since it is managed
>> from a chef recipe.
>>
>> However, when I tried to recover the backup to a fresh FreeIPA
>> install, Kerberos (GSSAPI) broke — I can't authenticate myself
>> anywhere using Kerberos: CLI, HTTP, etc.
>>
>> LDAP password-based authentication works alright.
>>
>> After some googling and reading through the mailing list, I followed
>> this manual and updated all keytabs for all services — dirsrv, httpd,
>> kadmin:
>> http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server
>>
>>
>> Then it broke in a different way: for a correct session it says that
>> my session is expired or just does nothing, for an incorrect password
>> it responds with "password incorrect" (see screenshot).
>> https://yadi.sk/i/WVe8u1_ZpNh3w
>>
>> For CLI it just says that the credentials are incorrect regardless of
>> what credentials I provide.
>>
>> I suppose that all krbPrincipalKey fields are tied to some other
>> encryption key that is not included in data-only backup.
>>
>> Could you please let me know how to regenerate krbPrincipalKey for all
>> users or how to work around this issue?
>>
>> Best regards,
>> Marat
>>
>
> Hello Marat,
> I would say that this is expected. During freeipa-server installation
> all service and host kerberos keys are generated randomly, stored in
> Directory Server and in keytab accessible to the host/service.
> When you reinstall freeipa-server all keys are regenerated and no longer
> matches the ones stored in your backup.
>
> You can use ipa-getkeytab(1) with Directory Manager credentials to
> retrieve new keys but think it's not enough to make it work again.
> Hopefully, someone, who understand kerberos better will advice.
>
It sounds like he already re-generated those keytabs.
The Kerberos master key is stored in LDAP so you should already have it.
Seeing the KDC and/or httpd logs might be useful.
Are you just toying with this or did something go horribly wrong and
you're trying to restore a production environment?
The instructions you used were strictly a brain dump, something I goofed
around with as an interesting thought project but didn't entirely nail
down. It is quite possible I didn't document some important step in there.
rob
More information about the Freeipa-users
mailing list