liang fei via FreeIPA-users wrote: > hello > Since the keytab file is invalid, I manually generated a new IPA. keytab > file, but now it seems that encryption-types does not match. What should I do > with this?thank you > > #ipa user-find devop > ipa: DEBUG: importing all plugin modules in ipalib.plugins... > ipa: DEBUG: importing plugin module ipalib.plugins.aci > ipa: DEBUG: importing plugin module ipalib.plugins.automember > ipa: DEBUG: importing plugin module ipalib.plugins.automount > ipa: DEBUG: importing plugin module ipalib.plugins.baseldap > ipa: DEBUG: importing plugin module ipalib.plugins.baseuser > ipa: DEBUG: importing plugin module ipalib.plugins.batch > ipa: DEBUG: importing plugin module ipalib.plugins.caacl > ipa: DEBUG: importing plugin module ipalib.plugins.cert > ipa: DEBUG: importing plugin module ipalib.plugins.certprofile > ipa: DEBUG: importing plugin module ipalib.plugins.config > ipa: DEBUG: importing plugin module ipalib.plugins.delegation > ipa: DEBUG: importing plugin module ipalib.plugins.dns > ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel > ipa: DEBUG: importing plugin module ipalib.plugins.group > ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule > ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc > ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup > ipa: DEBUG: importing plugin module ipalib.plugins.hbactest > ipa: DEBUG: importing plugin module ipalib.plugins.host > ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup > ipa: DEBUG: importing plugin module ipalib.plugins.idrange > ipa: DEBUG: importing plugin module ipalib.plugins.idviews > ipa: DEBUG: importing plugin module ipalib.plugins.internal > ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy > ipa: DEBUG: importing plugin module ipalib.plugins.migration > ipa: DEBUG: importing plugin module ipalib.plugins.misc > ipa: DEBUG: importing plugin module ipalib.plugins.netgroup > ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig > ipa: DEBUG: importing plugin module ipalib.plugins.otptoken > ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey > ipa: DEBUG: importing plugin module ipalib.plugins.passwd > ipa: DEBUG: importing plugin module ipalib.plugins.permission > ipa: DEBUG: importing plugin module ipalib.plugins.ping > ipa: DEBUG: importing plugin module ipalib.plugins.pkinit > ipa: DEBUG: importing plugin module ipalib.plugins.privilege > ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy > ipa: DEBUG: Starting external process > ipa: DEBUG: args=klist -V > ipa: DEBUG: Process finished, return code=0 > ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 > > ipa: DEBUG: stderr= > ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy > ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains > ipa: DEBUG: importing plugin module ipalib.plugins.role > ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient > ipa: DEBUG: importing plugin module ipalib.plugins.selfservice > ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap > ipa: DEBUG: importing plugin module ipalib.plugins.server > ipa: DEBUG: importing plugin module ipalib.plugins.service > ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation > ipa: DEBUG: importing plugin module ipalib.plugins.session > ipa: DEBUG: importing plugin module ipalib.plugins.stageuser > ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd > ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup > ipa: DEBUG: importing plugin module ipalib.plugins.sudorule > ipa: DEBUG: importing plugin module ipalib.plugins.topology > ipa: DEBUG: importing plugin module ipalib.plugins.trust > ipa: DEBUG: importing plugin module ipalib.plugins.user > ipa: DEBUG: importing plugin module ipalib.plugins.vault > ipa: DEBUG: importing plugin module ipalib.plugins.virtual > ipa: DEBUG: failed to find session_cookie in persistent storage for principal > '[email protected]' > ipa: INFO: trying https://xx/ipa/json > ipa: DEBUG: Created connection context.rpcclient_140659301866000 > ipa: DEBUG: raw: user_find(u'devop', whoami=False, all=False, raw=False, > version=u'2.164', no_members=False) > ipa: DEBUG: user_find(u'devop', whoami=False, all=False, raw=False, > version=u'2.164', no_members=False, pkey_only=False) > ipa: INFO: Forwarding 'user_find' to json server 'https://xx/ipa/json' > ipa: DEBUG: NSSConnection init xx > ipa: DEBUG: Connecting: 10.21.117.149:0 > ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server > ipa: DEBUG: cert valid True for "CN=xx,O=YYDEVOPS.COM" > ipa: DEBUG: handshake complete, peer = 10.21.117.149:443 > ipa: DEBUG: Protocol: TLS1.2 > ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA > ipa: DEBUG: Destroyed connection context.rpcclient_140659301866000 > ipa: ERROR: error marshalling data for XML-RPC transport: message: need a > <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type > 'str'>) > > # klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 08/29/2022 20:40:14 08/30/2022 20:40:07 krbtgt/[email protected] > Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > 08/29/2022 20:40:31 08/30/2022 20:40:07 HTTP/[email protected] > Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1 > > # klist -kte /etc/apache2/ipa.keytab > Keytab name: FILE:/etc/apache2/ipa.keytab > KVNO Timestamp Principal > ---- ------------------- > ------------------------------------------------------ > 4 08/29/2022 19:30:22 HTTP/xx (arcfour-hmac) > 5 08/29/2022 19:30:42 HTTP/xx (camellia128-cts-cmac) > 6 08/29/2022 19:30:46 HTTP/xx (camellia256-cts-cmac) > 7 08/29/2022 19:33:02 HTTP/xx (camellia128-cts-cmac) > 8 08/29/2022 19:33:41 HTTP/xx (aes128-cts-hmac-sha1-96) > 9 08/29/2022 19:33:47 HTTP/xx (aes256-cts-hmac-sha1-96) > 10 08/29/2022 19:35:05 HTTP/xx (des3-cbc-sha1)
Need a lot more information. What version of IPA on client and server, and what distribution? What is the context? Is this a new problem? Did it ever work? It appears you're running this on a server, please confirm. We need the apache error log (snippet) and relation lines from the KDC log. Per your subsequent message, this probably has nothing to do with certificates but the output is illuminating. a-error: Error setting up ccache for "host" service on client using default keytab: No such file or directory. You are apparently missing /etc/krb5.keytab Goes back to the history question. What has been going on with this installation? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
