I uninstalled the ipa server and reinstalled it. Then restored the backup. And then the following:
$ keyctl list @s 3 keys in keyring: 437165764: --alswrv 0 65534 keyring: _uid.0 556579409: --alswrv 0 0 user: ipa_session_cookie:host/zaira2.opera@OPERA 286806445: ---lswrv 0 65534 keyring: _persistent.0 $ keyctl purge 556579409 purged 0 keys $ keyctl reap 0 keys reaped $ ipa user-show admin ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': Unauthorized $ keyctl list @s 3 keys in keyring: 437165764: --alswrv 0 65534 keyring: _uid.0 556579409: --alswrv 0 0 user: ipa_session_cookie:host/zaira2.opera@OPERA 286806445: ---lswrv 0 65534 keyring: _persistent.0 It doesn't seem to purge or to reap. On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <[email protected]> wrote: > Good morning, > > Any suggestion what I should do? > > I still have > > $ ipa user-show admin > ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': > Unauthorized > > > Regards. > > > On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <[email protected]> wrote: > >> I only have this: >> >> $ keyctl list @s >> 1 key in keyring: >> 641467419: --alswrv 0 65534 keyring: _uid.0 >> $ >> >> >> >> On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <[email protected]> >> wrote: >> >>> On Fri, 02 Oct 2015, Fujisan wrote: >>> >>>> I forgot to mention that >>>> >>>> $ ipa user-show admin >>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>> Unauthorized >>>> >>> This is most likely because of the cached session to your server. >>> >>> You can check if keyctl list @s >>> returns you something like >>> [root@m1 ~]# keyctl list @s >>> 2 keys in keyring: >>> 496745412: --alswrv 0 65534 keyring: _uid.0 >>> 215779962: --alswrv 0 0 user: >>> ipa_session_cookie:[email protected] >>> >>> If so, then notice the key number (215779962) for the session cookie, >>> and do: >>> keyctl purge 215779962 >>> keyctl reap >>> >>> This should make a next 'ipa ...' command run to ask for new cookie. >>> >>> >>>> On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <[email protected]> wrote: >>>> >>>> I still cannot login to the web UI. >>>>> >>>>> Here is what I did: >>>>> >>>>> 1. mv /etc/krb5.keytab /etc/krb5.keytab.save >>>>> 2. kinit admin >>>>> Password for admin@OPERA: >>>>> 3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k >>>>> /etc/krb5.keytab >>>>> 4. systemctl restart sssd.service >>>>> 5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save >>>>> 6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k >>>>> /etc/httpd/conf/ipa.keytab >>>>> 7. systemctl restart httpd.service >>>>> >>>>> >>>>> The log says now: >>>>> >>>>> Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes {18 >>>>> 17 >>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>> HTTP/zaira2.opera@OPERA >>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>> >>>>> >>>>> >>>>> On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <[email protected] >>>>> > >>>>> wrote: >>>>> >>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>> >>>>>> Well, I think I messed up when trying to configure cockpit to use >>>>>>> kerberos. >>>>>>> >>>>>>> What should I do to fix this? >>>>>>> >>>>>>> I have this on the ipa server: >>>>>>> $ klist -k >>>>>>> Keytab name: FILE:/etc/krb5.keytab >>>>>>> KVNO Principal >>>>>>> ---- >>>>>>> >>>>>>> >>>>>>> -------------------------------------------------------------------------- >>>>>>> 2 host/zaira2.opera@OPERA >>>>>>> 2 host/zaira2.opera@OPERA >>>>>>> 2 host/zaira2.opera@OPERA >>>>>>> 2 host/zaira2.opera@OPERA >>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>> 1 nfs/zaira2.opera@OPERA >>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>> 3 HTTP/zaira2.opera@OPERA >>>>>>> >>>>>>> You can start by: >>>>>>> >>>>>> 0. backup every file mentioned below >>>>>> 1. Move /etc/krb5.keytab somewhere >>>>>> 2. kinit as admin >>>>>> 3. ipa-getkeytab -s `hostname` -p host/`hostname` -k /etc/krb5.keytab >>>>>> 4. restart SSSD >>>>>> 5. Move /etc/httpd/conf/ipa.keytab somewhere >>>>>> 6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k >>>>>> /etc/httpd/conf/ipa.keytab >>>>>> 7. Restart httpd >>>>>> >>>>>> Every time you run 'ipa-getkeytab', Kerberos key for the service >>>>>> specified by you is replaced on the server side so that keys in the >>>>>> keytabs become unusable. >>>>>> >>>>>> I guess cockpit instructions were for something that was not supposed >>>>>> to >>>>>> run on IPA master. On IPA master there are already all needed services >>>>>> (host/ and HTTP/) and their keytabs are in place. >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy < >>>>>>> [email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> On Fri, 02 Oct 2015, Fujisan wrote: >>>>>>> >>>>>>>> >>>>>>>> More info: >>>>>>>> >>>>>>>>> >>>>>>>>> I can initiate a ticket: >>>>>>>>> $ kdestroy >>>>>>>>> $ kinit admin >>>>>>>>> >>>>>>>>> but cannot view user admin: >>>>>>>>> $ ipa user-show admin >>>>>>>>> ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json': >>>>>>>>> Unauthorized >>>>>>>>> >>>>>>>>> $ ipactl status >>>>>>>>> Directory Service: RUNNING >>>>>>>>> krb5kdc Service: RUNNING >>>>>>>>> kadmin Service: RUNNING >>>>>>>>> named Service: RUNNING >>>>>>>>> ipa_memcached Service: RUNNING >>>>>>>>> httpd Service: RUNNING >>>>>>>>> pki-tomcatd Service: RUNNING >>>>>>>>> smb Service: RUNNING >>>>>>>>> winbind Service: RUNNING >>>>>>>>> ipa-otpd Service: RUNNING >>>>>>>>> ipa-dnskeysyncd Service: RUNNING >>>>>>>>> ipa: INFO: The ipactl command was successful >>>>>>>>> >>>>>>>>> /var/log/messages: >>>>>>>>> Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to >>>>>>>>> initialize >>>>>>>>> credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt >>>>>>>>> integrity >>>>>>>>> check >>>>>>>>> failed. Unable to create GSSAPI-encrypted LDAP connection. >>>>>>>>> >>>>>>>>> What did you do? >>>>>>>>> >>>>>>>> >>>>>>>> This and the log below about HTTP/zaira2.opera@OPERA show that you >>>>>>>> have >>>>>>>> different keys in LDAP and in your keytab files for >>>>>>>> host/zaira2.opera >>>>>>>> and HTTP/zaira2.opera principals. This might happen if somebody >>>>>>>> removed >>>>>>>> the principals from LDAP (ipa service-del/ipa service-add, or ipa >>>>>>>> host-del/ipa host-add) so that they become non-synchronized with >>>>>>>> whatever you have in the keytab files. >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> >>>>>>>>>> I cannot login to the web UI anymore. >>>>>>>>>> >>>>>>>>>> The password or username you entered is incorrect. >>>>>>>>>> >>>>>>>>>> Log says: >>>>>>>>>> >>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>>>>>> {18 17 >>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH: >>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>> for krbtgt/OPERA@OPERA, Additional pre-authentication required >>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd >>>>>>>>>> 12 >>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth >>>>>>>>>> (encrypted_timestamp) verify failure: Decrypt integrity check >>>>>>>>>> failed >>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9 etypes >>>>>>>>>> {18 17 >>>>>>>>>> 16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED: >>>>>>>>>> HTTP/zaira2.opera@OPERA >>>>>>>>>> for krbtgt/OPERA@OPERA, Decrypt integrity check failed >>>>>>>>>> Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down fd >>>>>>>>>> 12 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I have no idea what went wrong. >>>>>>>>>> >>>>>>>>>> What can I do? >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Fuji >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>> >>>>>>>> Manage your subscription for the Freeipa-users mailing list: >>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>>>>> Go to http://freeipa.org for more info on the project >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> -- >>>>>>>> / Alexander Bokovoy >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>> / Alexander Bokovoy >>>>>> >>>>>> >>>>> >>>>> >>> -- >>>> Manage your subscription for the Freeipa-users mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> Go to http://freeipa.org for more info on the project >>>> >>> >>> >>> -- >>> / Alexander Bokovoy >>> >> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
