Hi! I've been doing backups using the tool like this: ipa-backup --data --online
I didn't want any configuration to be backed up, since it is managed from a chef recipe. However, when I tried to recover the backup to a fresh FreeIPA install, Kerberos (GSSAPI) broke — I can't authenticate myself anywhere using Kerberos: CLI, HTTP, etc. LDAP password-based authentication works alright. After some googling and reading through the mailing list, I followed this manual and updated all keytabs for all services — dirsrv, httpd, kadmin: http://www.freeipa.org/page/V3/Backup_and_Restore#Backup.2C_uninstall.2C_reinstall.2C_restore_JUST_the_LDAP_server Then it broke in a different way: for a correct session it says that my session is expired or just does nothing, for an incorrect password it responds with "password incorrect" (see screenshot). https://yadi.sk/i/WVe8u1_ZpNh3w For CLI it just says that the credentials are incorrect regardless of what credentials I provide. I suppose that all krbPrincipalKey fields are tied to some other encryption key that is not included in data-only backup. Could you please let me know how to regenerate krbPrincipalKey for all users or how to work around this issue? Best regards, Marat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
