Le 30/01/2025 à 13:48, Florence Blanc-Renaud a écrit :
Hi,

the server is in a strange situation as it has in the file a keytab with kvno 2 but in the LDAP database kvno 1. This could happen if the keytab was renewed someday but there was an ipa-restore or re-initialize from other replicas which would not know of this new one.

To fix the issue I would try to retrieve the keytab with kvno 1 with the following command: ipa-getkeytab -r -p ' HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr <mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>' -D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab

this is ok

Récupération du tableau de clés et stockage avec succès dans : /tmp/gssproxy.keytab


The -r option is very important as it allows to retrieve the keytab (without the -r option, a new keytab gets generated). Then check that the new keytab has kvno 1 as expected with klist -kte /tmp/gssproxy.keytab,

this also works

Keytab name: FILE:/tmp/gssproxy.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------    1 30/01/2025 14:33:57 HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (aes256-cts-hmac-sha1-96)    1 30/01/2025 14:33:57 HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (aes128-cts-hmac-sha1-96)    1 30/01/2025 14:33:57 HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (des3-cbc-sha1)    1 30/01/2025 14:33:57 HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr (arcfour-hmac)


try kinit with this one.

but this fails

[13189] 1738244077.982026: Resolving unique ccache of type KEYRING
[13189] 1738244077.982027: Getting initial credentials for HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
[13189] 1738244077.982028: Looked up etypes in keytab: (empty)
[13189] 1738244077.982029: Getting initial credentials for HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
[13189] 1738244077.982030: Looked up etypes in keytab: (empty)
kinit: Keytab contains no suitable keys for HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr while getting initial credentials


If it succeeds, replace the file /var/lib/ipa/gssproxy/http.keytab with /tmp/gssproxy.keytab (make a backup first) and restart ipa services with ipactl restart.

You should also check that there is no replication issue between your servers.

how is the best way to do it, ipa-replica-manage list-ruv ? all the servers have the same values and there are No CS-RUVs found (I also compare ldapsearch results between servers)


flo


Thank you

Regards,

Frederic

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to