I only have this: $ keyctl list @s 1 key in keyring: 641467419: --alswrv 0 65534 keyring: _uid.0 $
On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <[email protected]> wrote: > On Fri, 02 Oct 2015, Fujisan wrote: > >> I forgot to mention that >> >> $ ipa user-show admin >> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >> Unauthorized >> > This is most likely because of the cached session to your server. > > You can check if keyctl list @s > returns you something like > [root@m1 ~]# keyctl list @s > 2 keys in keyring: > 496745412: --alswrv 0 65534 keyring: _uid.0 > 215779962: --alswrv 0 0 user: ipa_session_cookie:[email protected] > > If so, then notice the key number (215779962) for the session cookie, > and do: > keyctl purge 215779962 > keyctl reap > > This should make a next 'ipa ...' command run to ask for new cookie. > > >> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <[email protected]> wrote: >> >> I still cannot login to the web UI. >>> >>> Here is what I did: >>> >>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save >>> 2. kinit admin >>> Password for admin@OPERA: >>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k >>> /etc/krb5.keytab >>> 4. systemctl restart sssd.service >>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save >>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k >>> /etc/httpd/conf/ipa.keytab >>> 7. systemctl restart httpd.service >>> >>> >>> The log says now: >>> >>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 17 >>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: HTTP/zaira2.opera@OPERA >>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>> >>> >>> >>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <[email protected]> >>> wrote: >>> >>> On Fri, 02 Oct 2015, Fujisan wrote: >>>> >>>> Well, I think I messed up when trying to configure cockpit to use >>>>> kerberos. >>>>> >>>>> What should I do to fix this? >>>>> >>>>> I have this on the ipa server: >>>>> $ klist -k >>>>> Keytab name: FILE:/etc/krb5.keytab >>>>> KVNO Principal >>>>> ---- >>>>> >>>>> >>>>> -------------------------------------------------------------------------- >>>>> 2 host/zaira2.opera@OPERA >>>>> 2 host/zaira2.opera@OPERA >>>>> 2 host/zaira2.opera@OPERA >>>>> 2 host/zaira2.opera@OPERA >>>>> 1 nfs/zaira2.opera@OPERA >>>>> 1 nfs/zaira2.opera@OPERA >>>>> 1 nfs/zaira2.opera@OPERA >>>>> 1 nfs/zaira2.opera@OPERA >>>>> 3 HTTP/zaira2.opera@OPERA >>>>> 3 HTTP/zaira2.opera@OPERA >>>>> 3 HTTP/zaira2.opera@OPERA >>>>> 3 HTTP/zaira2.opera@OPERA >>>>> >>>>> You can start by: >>>>> >>>> 0. backup every file mentioned below >>>> 1. Move /etc/krb5.keytab somewhere >>>> 2. kinit as admin >>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab >>>> 4. restart SSSD >>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere >>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k >>>> /etc/httpd/conf/ipa.keytab >>>> 7. Restart httpd >>>> >>>> Every time you run 'ipa-getkeytab', Kerberos key for the service >>>> specified by you is replaced on the server side so that keys in the >>>> keytabs become unusable. >>>> >>>> I guess cockpit instructions were for something that was not supposed to >>>> run on IPA master. On IPA master there are already all needed services >>>> (host/ and HTTP/) and their keytabs are in place. >>>> >>>> >>>> >>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <[email protected]> >>>>> wrote: >>>>> >>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>> >>>>>> >>>>>> More info: >>>>>> >>>>>>> >>>>>>> I can initiate a ticket: >>>>>>> $ kdestroy >>>>>>> $ kinit admin >>>>>>> >>>>>>> but cannot view user admin: >>>>>>> $ ipa user-show admin >>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>>> Unauthorized >>>>>>> >>>>>>> $ ipactl status >>>>>>> Directory Service: RUNNING >>>>>>> krb5kdc Service: RUNNING >>>>>>> kadmin Service: RUNNING >>>>>>> named Service: RUNNING >>>>>>> ipa_memcached Service: RUNNING >>>>>>> httpd Service: RUNNING >>>>>>> pki-tomcatd Service: RUNNING >>>>>>> smb Service: RUNNING >>>>>>> winbind Service: RUNNING >>>>>>> ipa-otpd Service: RUNNING >>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>> ipa: INFO: The ipactl command was successful >>>>>>> >>>>>>> /var/log/messages: >>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to initialize >>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt integrity >>>>>>> check >>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>>>>> >>>>>>> What did you do? >>>>>>> >>>>>> >>>>>> This and the log below about HTTP/zaira2.opera@OPERA show that you >>>>>> have >>>>>> different keys in LDAP and in your keytab files for host/zaira2.opera >>>>>> and HTTP/zaira2.opera principals. This might happen if somebody >>>>>> removed >>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa >>>>>> host-del/ipa host-add) so that they become non-synchronized with >>>>>> whatever you have in the keytab files. >>>>>> >>>>>> >>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <[email protected]> wrote: >>>>>> >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> >>>>>>>> I cannot login to the web UI anymore. >>>>>>>> >>>>>>>> The password or username you entered is incorrect. >>>>>>>> >>>>>>>> Log says: >>>>>>>> >>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>>>> {18 17 >>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check failed >>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>>>> {18 17 >>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd 12 >>>>>>>> >>>>>>>> >>>>>>>> I have no idea what went wrong. >>>>>>>> >>>>>>>> What can I do? >>>>>>>> >>>>>>>> Regards, >>>>>>>> Fuji >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>> >>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>> Go to http://freeipa.org for more info on the project >>>>>>> >>>>>>> >>>>>>> >>>>>> -- >>>>>> / Alexander Bokovoy >>>>>> >>>>>> >>>>>> -- >>>> / Alexander Bokovoy >>>> >>>> >>> >>> > -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
