<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I was going to ask about the ipa command error on the ipa server and how to fix it. But then I just tried again and it works. $ ipa user-show admin User login: admin Last name: Administrator Home directory: /home/zaira/admin Login shell: /bin/bash UID: 1000 GID: 1000 Account disabled: False Password: True Member of groups: stagiaires, opera, ipausers, trust admins, admins, oldstaff Kerberos keys available: True SSH public key fingerprint: FA:76:85:EF:2A:D1:12:B9:A8:A4:F4:AE:45:B2:63:05 admin@ipasrv (ssh-dss) </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Before trying again, I just ran a 'dnf update' and rebooted the server on the new kernel (4.1.8-200.fc22.x86_64). </div><div class="gmail_extra"> <div class="gmail_quote">On Mon, Oct 5, 2015 at 4:07 PM, Petr Vobornik <<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 10/05/2015 12:55 PM, Fujisan wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> It is actually on the ipa server that ipa commands are not working. On ipa clients, I do not have errors. On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <<a href="mailto:fujisan43@gmail.com" target="_blank">fujisan43@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I just noticed I can log in to the web UI with user admin and his password. But when I try to configure firefox to use kerberos, I click on "Install Kerberos Configuration Firefox Extension" button, a message appears saying "Firefox prevented this site from asking you to install software on your computer", so I click on the "Allow" button and then another message appears "The add-on downloaded from this site could not be installed because it appears to be corrupt.". </blockquote></blockquote> Here you hit <a href="https://fedorahosted.org/freeipa/ticket/4906" rel="noreferrer" target="_blank">https://fedorahosted.org/freeipa/ticket/4906</a> Fix(will be in 4.2.2 release) for this ticket changes the procedure for new versions of Firefox to a manual configuration. Basically the steps for Firefox which are described on page <a href="http://your-ipa.example.test/ipa/config/ssbrowser.html" rel="noreferrer" target="_blank">http://your-ipa.example.test/ipa/config/ssbrowser.html</a><div class=""><div class="h5"> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> And the ipa commands are still not working. $ ipa user-show admin ipa: ERROR: cannot connect to '<a href="https://zaira2.opera/ipa/json" rel="noreferrer" target="_blank">https://zaira2.opera/ipa/json</a>': Unauthorized On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <<a href="mailto:fujisan43@gmail.com" target="_blank">fujisan43@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I uninstalled the ipa server and reinstalled it. Then restored the backup. And then the following: $ keyctl list @s 3 keys in keyring: 437165764: --alswrv 0 65534 keyring: _uid.0 556579409: --alswrv 0 0 user: ipa_session_cookie:host/zaira2.opera@OPERA 286806445: ---lswrv 0 65534 keyring: _persistent.0 $ keyctl purge 556579409 purged 0 keys $ keyctl reap 0 keys reaped $ ipa user-show admin ipa: ERROR: cannot connect to '<a href="https://zaira2.opera/ipa/json" rel="noreferrer" target="_blank">https://zaira2.opera/ipa/json</a>': Unauthorized $ keyctl list @s 3 keys in keyring: 437165764: --alswrv 0 65534 keyring: _uid.0 556579409: --alswrv 0 0 user: ipa_session_cookie:host/zaira2.opera@OPERA 286806445: ---lswrv 0 65534 keyring: _persistent.0 It doesn't seem to purge or to reap. On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <<a href="mailto:fujisan43@gmail.com" target="_blank">fujisan43@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Good morning, Any suggestion what I should do? I still have $ ipa user-show admin ipa: ERROR: cannot connect to '<a href="https://zaira2.opera/ipa/json" rel="noreferrer" target="_blank">https://zaira2.opera/ipa/json</a>': Unauthorized Regards. On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <<a href="mailto:fujisan43@gmail.com" target="_blank">fujisan43@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I only have this: $ keyctl list @s 1 key in keyring: 641467419: --alswrv 0 65534 keyring: _uid.0 $ On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> On Fri, 02 Oct 2015, Fujisan wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I forgot to mention that $ ipa user-show admin ipa: ERROR: cannot connect to '<a href="https://zaira2.opera/ipa/json" rel="noreferrer" target="_blank">https://zaira2.opera/ipa/json</a>': Unauthorized </blockquote> This is most likely because of the cached session to your server. You can check if keyctl list @s returns you something like [root@m1 ~]# keyctl list @s 2 keys in keyring: 496745412: --alswrv 0 65534 keyring: _uid.0 215779962: --alswrv 0 0 user: <a href="mailto:ipa_session_cookie%3Aadmin@EXAMPLE.COM" target="_blank">ipa_session_cookie:admin@EXAMPLE.COM</a> If so, then notice the key number (215779962) for the session cookie, and do: keyctl purge 215779962 keyctl reap This should make a next 'ipa ...' command run to ask for new cookie. <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <<a href="mailto:fujisan43@gmail.com" target="_blank">fujisan43@gmail.com</a>> wrote: I still cannot login to the web UI. <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Here is what I did: 1. mv /etc/krb5.keytab /etc/krb5.keytab.save 2. kinit admin Password for admin@OPERA: 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k /etc/krb5.keytab 4. systemctl restart sssd.service 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k /etc/httpd/conf/ipa.keytab 7. systemctl restart httpd.service The log says now: Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) <a href="http://10.0.21.18" rel="noreferrer" target="_blank">10.0.21.18</a>: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA for krbtgt/OPERA@OPERA, Additional pre-authentication required On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy < <a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: On Fri, 02 Oct 2015, Fujisan wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Well, I think I messed up when trying to configure cockpit to use <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> kerberos. What should I do to fix this? I have this on the ipa server: $ klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/zaira2.opera@OPERA 2 host/zaira2.opera@OPERA 2 host/zaira2.opera@OPERA 2 host/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA You can start by: </blockquote> 0. backup every file mentioned below 1. Move /etc/krb5.keytab somewhere 2. kinit as admin 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab 4. restart SSSD 5. Move /etc/httpd/conf/ipa.keytab somewhere 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k /etc/httpd/conf/ipa.keytab 7. Restart httpd Every time you run 'ipa-getkeytab', Kerberos key for the service specified by you is replaced on the server side so that keys in the keytabs become unusable. I guess cockpit instructions were for something that was not supposed to run on IPA master. On IPA master there are already all needed services (host/ and HTTP/) and their keytabs are in place. On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy < <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>> wrote: On Fri, 02 Oct 2015, Fujisan wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> More info: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I can initiate a ticket: $ kdestroy $ kinit admin but cannot view user admin: $ ipa user-show admin ipa: ERROR: cannot connect to '<a href="https://zaira2.opera/ipa/json" rel="noreferrer" target="_blank">https://zaira2.opera/ipa/json</a>': Unauthorized $ ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ipa_memcached Service: RUNNING httpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful /var/log/messages: Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity check failed. Unable to create GSSAPI-encrypted LDAP connection. What did you do? </blockquote> This and the log below about HTTP/zaira2.opera@OPERA show that you have different keys in LDAP and in your keytab files for host/zaira2.opera and HTTP/zaira2.opera principals. This might happen if somebody removed the principals from LDAP (ipa service-del/ipa service-add, or ipa host-del/ipa host-add) so that they become non-synchronized with whatever you have in the keytab files. On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <<a href="mailto:fujisan43@gmail.com" target="_blank">fujisan43@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Hello, <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> I cannot login to the web UI anymore. The password or username you entered is incorrect. Log says: Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) <a href="http://10.0.21.18" rel="noreferrer" target="_blank">10.0.21.18</a>: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA for krbtgt/OPERA@OPERA, Additional pre-authentication required Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth (encrypted_timestamp) verify failure: Decrypt integrity check failed Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17 16 23 25 26 1 3 2}) <a href="http://10.0.21.18" rel="noreferrer" target="_blank">10.0.21.18</a>: PREAUTH_FAILED: HTTP/zaira2.opera@OPERA for krbtgt/OPERA@OPERA, Decrypt integrity check failed Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 I have no idea what went wrong. What can I do? Regards, Fuji -- </blockquote> </blockquote> Manage your subscription for the Freeipa-users mailing list: <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- / Alexander Bokovoy -- </blockquote></blockquote> / Alexander Bokovoy </blockquote> </blockquote></blockquote> -- <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Manage your subscription for the Freeipa-users mailing list: <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project </blockquote> -- / Alexander Bokovoy </blockquote></blockquote></blockquote></blockquote></blockquote></blockquote> </div></div> -- Petr Vobornik </blockquote></div> </div></div>