Well, I think I messed up when trying to configure cockpit to use kerberos.
What should I do to fix this? I have this on the ipa server: $ klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/zaira2.opera@OPERA 2 host/zaira2.opera@OPERA 2 host/zaira2.opera@OPERA 2 host/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 1 nfs/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA 3 HTTP/zaira2.opera@OPERA On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <[email protected]> wrote: > On Fri, 02 Oct 2015, Fujisan wrote: > >> More info: >> >> I can initiate a ticket: >> $ kdestroy >> $ kinit admin >> >> but cannot view user admin: >> $ ipa user-show admin >> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >> Unauthorized >> >> $ ipactl status >> Directory Service: RUNNING >> krb5kdc Service: RUNNING >> kadmin Service: RUNNING >> named Service: RUNNING >> ipa_memcached Service: RUNNING >> httpd Service: RUNNING >> pki-tomcatd Service: RUNNING >> smb Service: RUNNING >> winbind Service: RUNNING >> ipa-otpd Service: RUNNING >> ipa-dnskeysyncd Service: RUNNING >> ipa: INFO: The ipactl command was successful >> >> /var/log/messages: >> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize >> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity >> check >> failed. Unable to create GSSAPI-encrypted LDAP connection. >> > What did you do? > > This and the log below about HTTP/zaira2.opera@OPERA show that you have > different keys in LDAP and in your keytab files for host/zaira2.opera > and HTTP/zaira2.opera principals. This might happen if somebody removed > the principals from LDAP (ipa service-del/ipa service-add, or ipa > host-del/ipa host-add) so that they become non-synchronized with > whatever you have in the keytab files. > > > On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <[email protected]> wrote: >> >> Hello, >>> >>> I cannot login to the web UI anymore. >>> >>> The password or username you entered is incorrect. >>> >>> Log says: >>> >>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17 >>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA >>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>> (encrypted_timestamp) verify failure: Decrypt integrity check failed >>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes {18 17 >>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: HTTP/zaira2.opera@OPERA >>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>> >>> >>> I have no idea what went wrong. >>> >>> What can I do? >>> >>> Regards, >>> Fuji >>> >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
