On 10/05/2015 12:55 PM, Fujisan wrote:
It is actually on the ipa server that ipa commands are not working. On ipa
clients, I do not have errors.
On Mon, Oct 5, 2015 at 12:27 PM, Fujisan <[email protected]> wrote:
I just noticed I can log in to the web UI with user admin and his password.
But when I try to configure firefox to use kerberos, I click on "Install
Kerberos Configuration Firefox Extension" button, a message appears saying
"Firefox prevented this site from asking you to install software on your
computer", so I click on the "Allow" button and then another message
appears "The add-on downloaded from this site could not be installed
because it appears to be corrupt.".
Here you hit https://fedorahosted.org/freeipa/ticket/4906
Fix(will be in 4.2.2 release) for this ticket changes the procedure for
new versions of Firefox to a manual configuration. Basically the steps
for Firefox which are described on page
http://your-ipa.example.test/ipa/config/ssbrowser.html
And the ipa commands are still not working.
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
Unauthorized
On Mon, Oct 5, 2015 at 12:13 PM, Fujisan <[email protected]> wrote:
I uninstalled the ipa server and reinstalled it. Then restored the backup.
And then the following:
$ keyctl list @s
3 keys in keyring:
437165764: --alswrv 0 65534 keyring: _uid.0
556579409: --alswrv 0 0 user:
ipa_session_cookie:host/zaira2.opera@OPERA
286806445: ---lswrv 0 65534 keyring: _persistent.0
$ keyctl purge 556579409
purged 0 keys
$ keyctl reap
0 keys reaped
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
Unauthorized
$ keyctl list @s
3 keys in keyring:
437165764: --alswrv 0 65534 keyring: _uid.0
556579409: --alswrv 0 0 user:
ipa_session_cookie:host/zaira2.opera@OPERA
286806445: ---lswrv 0 65534 keyring: _persistent.0
It doesn't seem to purge or to reap.
On Mon, Oct 5, 2015 at 9:17 AM, Fujisan <[email protected]> wrote:
Good morning,
Any suggestion what I should do?
I still have
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
Unauthorized
Regards.
On Fri, Oct 2, 2015 at 5:04 PM, Fujisan <[email protected]> wrote:
I only have this:
$ keyctl list @s
1 key in keyring:
641467419: --alswrv 0 65534 keyring: _uid.0
$
On Fri, Oct 2, 2015 at 5:01 PM, Alexander Bokovoy <[email protected]>
wrote:
On Fri, 02 Oct 2015, Fujisan wrote:
I forgot to mention that
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
Unauthorized
This is most likely because of the cached session to your server.
You can check if keyctl list @s
returns you something like
[root@m1 ~]# keyctl list @s
2 keys in keyring:
496745412: --alswrv 0 65534 keyring: _uid.0
215779962: --alswrv 0 0 user:
ipa_session_cookie:[email protected]
If so, then notice the key number (215779962) for the session cookie,
and do:
keyctl purge 215779962
keyctl reap
This should make a next 'ipa ...' command run to ask for new cookie.
On Fri, Oct 2, 2015 at 4:44 PM, Fujisan <[email protected]> wrote:
I still cannot login to the web UI.
Here is what I did:
1. mv /etc/krb5.keytab /etc/krb5.keytab.save
2. kinit admin
Password for admin@OPERA:
3. ipa-getkeytab -s zaira2.opera -p host/zaira2.opera@OPERA -k
/etc/krb5.keytab
4. systemctl restart sssd.service
5. mv /etc/httpd/conf/ipa.keytab /etc/httpd/conf/ipa.keytab.save
6. ipa-getkeytab -s zaira2.opera -p HTTP/zaira2.opera@OPERA -k
/etc/httpd/conf/ipa.keytab
7. systemctl restart httpd.service
The log says now:
Oct 02 16:40:56 zaira2.opera krb5kdc[9065](info): AS_REQ (9 etypes
{18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
HTTP/zaira2.opera@OPERA
for krbtgt/OPERA@OPERA, Additional pre-authentication required
On Fri, Oct 2, 2015 at 4:25 PM, Alexander Bokovoy <
[email protected]>
wrote:
On Fri, 02 Oct 2015, Fujisan wrote:
Well, I think I messed up when trying to configure cockpit to use
kerberos.
What should I do to fix this?
I have this on the ipa server:
$ klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
2 host/zaira2.opera@OPERA
2 host/zaira2.opera@OPERA
2 host/zaira2.opera@OPERA
2 host/zaira2.opera@OPERA
1 nfs/zaira2.opera@OPERA
1 nfs/zaira2.opera@OPERA
1 nfs/zaira2.opera@OPERA
1 nfs/zaira2.opera@OPERA
3 HTTP/zaira2.opera@OPERA
3 HTTP/zaira2.opera@OPERA
3 HTTP/zaira2.opera@OPERA
3 HTTP/zaira2.opera@OPERA
You can start by:
0. backup every file mentioned below
1. Move /etc/krb5.keytab somewhere
2. kinit as admin
3. ipa-getkeytab -s `hostname` -p host/`hostname` -k
/etc/krb5.keytab
4. restart SSSD
5. Move /etc/httpd/conf/ipa.keytab somewhere
6. ipa-getkeytab -s `hostname` -p HTTP/`hostname` -k
/etc/httpd/conf/ipa.keytab
7. Restart httpd
Every time you run 'ipa-getkeytab', Kerberos key for the service
specified by you is replaced on the server side so that keys in the
keytabs become unusable.
I guess cockpit instructions were for something that was not
supposed to
run on IPA master. On IPA master there are already all needed
services
(host/ and HTTP/) and their keytabs are in place.
On Fri, Oct 2, 2015 at 3:45 PM, Alexander Bokovoy <
[email protected]>
wrote:
On Fri, 02 Oct 2015, Fujisan wrote:
More info:
I can initiate a ticket:
$ kdestroy
$ kinit admin
but cannot view user admin:
$ ipa user-show admin
ipa: ERROR: cannot connect to 'https://zaira2.opera/ipa/json':
Unauthorized
$ ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
/var/log/messages:
Oct 2 14:48:55 zaira2 [sssd[ldap_child[4991]]]: Failed to
initialize
credentials using keytab [MEMORY:/etc/krb5.keytab]: Decrypt
integrity
check
failed. Unable to create GSSAPI-encrypted LDAP connection.
What did you do?
This and the log below about HTTP/zaira2.opera@OPERA show that
you have
different keys in LDAP and in your keytab files for
host/zaira2.opera
and HTTP/zaira2.opera principals. This might happen if somebody
removed
the principals from LDAP (ipa service-del/ipa service-add, or ipa
host-del/ipa host-add) so that they become non-synchronized with
whatever you have in the keytab files.
On Fri, Oct 2, 2015 at 2:26 PM, Fujisan <[email protected]>
wrote:
Hello,
I cannot login to the web UI anymore.
The password or username you entered is incorrect.
Log says:
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
etypes
{18 17
16 23 25 26 1 3 2}) 10.0.21.18: NEEDED_PREAUTH:
HTTP/zaira2.opera@OPERA
for krbtgt/OPERA@OPERA, Additional pre-authentication required
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
fd 12
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): preauth
(encrypted_timestamp) verify failure: Decrypt integrity check
failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): AS_REQ (9
etypes
{18 17
16 23 25 26 1 3 2}) 10.0.21.18: PREAUTH_FAILED:
HTTP/zaira2.opera@OPERA
for krbtgt/OPERA@OPERA, Decrypt integrity check failed
Oct 02 14:22:57 zaira2.opera krb5kdc[3225](info): closing down
fd 12
I have no idea what went wrong.
What can I do?
Regards,
Fuji
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
