Le 30/01/2025 à 13:48, Florence Blanc-Renaud a écrit :
Hi,
the server is in a strange situation as it has in the file a keytab
with kvno 2 but in the LDAP database kvno 1.
This could happen if the keytab was renewed someday but there was an
ipa-restore or re-initialize from other replicas which would not know
of this new one.
To fix the issue I would try to retrieve the keytab with kvno 1 with
the following command:
ipa-getkeytab -r -p '
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>' -D
cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
this is ok
Récupération du tableau de clés et stockage avec succès dans :
/tmp/gssproxy.keytab
The -r option is very important as it allows to retrieve the keytab
(without the -r option, a new keytab gets generated).
Then check that the new keytab has kvno 1 as expected with klist -kte
/tmp/gssproxy.keytab,
this also works
Keytab name: FILE:/tmp/gssproxy.keytab
KVNO Timestamp Principal
---- -------------------
------------------------------------------------------
1 30/01/2025 14:33:57
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
(aes256-cts-hmac-sha1-96)
1 30/01/2025 14:33:57
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
(aes128-cts-hmac-sha1-96)
1 30/01/2025 14:33:57
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (des3-cbc-sha1)
1 30/01/2025 14:33:57
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (arcfour-hmac)
try kinit with this one.
but this fails
[13189] 1738244077.982026: Resolving unique ccache of type KEYRING
[13189] 1738244077.982027: Getting initial credentials for
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
[13189] 1738244077.982028: Looked up etypes in keytab: (empty)
[13189] 1738244077.982029: Getting initial credentials for
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
[13189] 1738244077.982030: Looked up etypes in keytab: (empty)
kinit: Keytab contains no suitable keys for
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr while getting
initial credentials
If it succeeds, replace the file /var/lib/ipa/gssproxy/http.keytab
with /tmp/gssproxy.keytab (make a backup first) and restart ipa
services with ipactl restart.
You should also check that there is no replication issue between your
servers.
how is the best way to do it, ipa-replica-manage list-ruv ? all the
servers have the same values
and there are No CS-RUVs found (I also compare ldapsearch results
between servers)
flo
Thank you
Regards,
Frederic
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue