In the end, I didn't succeed in achieving what I was attempting to do. While I was able to access the WebUI through the proxy/load balancer without any issues, I faced difficulties in enrolling hosts to IPA, that seems to be related to getting TGS for the correct service.
Various guides from a list and across the internet suggest that two services are required (HTTP/load balancer and LDAP/load balancer). However, even after creating the LDAP/load balancer service and adding its keys to the ds.keytab, it had no noticeable effect on the WebUI access. Only the HTTP service seemed to be sufficient. It may be related that server side scripts are tied to the replica hostname. Additionally, it appears that the "ignore_acceptor_hostname = true" setting in krb5.conf didn't have any effect, and I can't see any changes resulting from it either. If someone knowledgeable about the enrollment process and Kerberos exchange could assist me, I would greatly appreciate it. I guess this thread is somehow related to my problem https://lists.fedorahosted.org/archives/list/[email protected]/thread/VN3RXS36GFK4JMZCCSHPJ3DKLSBEXDE4/#ZXW4RMCRZUDGUS6PYU4P7URQZYQ5WG3D but seeing the code in https://github.com/abbra/freeipa/pull/9/files I don't see how it may be of any help. gssproxy log: >[9849] 1690704029.042067: Storing >HTTP/[email protected] -> >krb5_ccache_conf_data/refresh_time@X-CACHECONF: in >MEMORY:cred_allowed_0x7fc455b61380 >[9849] 1690704029.042068: Storing >host/[email protected] -> >krb5_ccache_conf_data/proxy_impersonator@X-CACHECONF: in >MEMORY:cred_allowed_0x7fc455b61380 >[9849] 1690704029.042069: Storing >host/[email protected] -> >HTTP/[email protected] in >MEMORY:cred_allowed_0x7fc455b61380 >[9849] 1690704029.042070: Destroying ccache MEMORY:cred_allowed_0x7fc455b61380 >[9849] 1690704029.042073: Getting credentials >host/[email protected] -> >ldap/infra-ipa-master-01.edu-ipa.novalocal@ using ccache MEMORY:u0CYkwJ >[9849] 1690704029.042074: Retrieving >host/[email protected] -> >krb5_ccache_conf_data/start_realm@X-CACHECONF: from MEMORY:u0CYkwJ with >result: -1765328243/Matching credential not found >[9849] 1690704029.042075: Retrieving >host/[email protected] -> >ldap/infra-ipa-master-01.edu-ipa.novalocal@ from MEMORY:u0CYkwJ with result: >-1765328243/Matching credential not found >[9849] 1690704029.042076: Retrying >host/[email protected] -> >ldap/[email protected] with result: >-1765328243/Matching credential not found >[9849] 1690704029.042077: Retrieving >host/[email protected] -> >HTTP/[email protected] from >MEMORY:u0CYkwJ with result: -1765328243/Matching credential not found >[9849] 1690704029.042081: Destroying ccache MEMORY:u0CYkwJ _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
