Bonjour,
Sorry I explained myself badly, I was thinking of the "final" step after
- ipa-getkeytab -r -p
'HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr' -D cn=directory\
manager -w Secret123 -k /tmp/gssproxy.keytab
- klist -kte /tmp/gssproxy.keytab
- KRB5_TRACE=/dev/stderr kinit -kt /var/lib/ipa/gssproxy/http.keytab
$PRINCIPAL (which was failing before because of the typo)
In one previous answer, you said
If it succeeds, replace the file /var/lib/ipa/gssproxy/http.keytab
with /tmp/gssproxy.keytab (make a backup first) and restart ipa
services with ipactl restart.
You should also check that there is no replication issue between your
servers.
That's why I asked noob questions about backup and replicas.
Thank you for your help
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
f...@lix.polytechnique.fr
Le 05/03/2025 à 09:26, Florence Blanc-Renaud a écrit :
Hi,
On Fri, Feb 28, 2025 at 2:40 PM Frederic Ayrault
<f...@lix.polytechnique.fr <mailto:f...@lix.polytechnique.fr>> wrote:
Bonjour,
Sorry for the late answer, look like it is working (I put the log
hereafter)
One of my replica is down because of electrical problems so I
prefer to wait before replacing /var/lib/ipa/gssproxy/http.keytab
To avoid any replication issue, is there any precaution to take
with the replicas,
stop ipa using ipactl, poweroff the servers or someting else ?
The ipa-getkeytab -r operation does not write anything in LDAP, it
just retrieves an existing value. It means you don't need to worry
about the other replicas.
flo
I will do a copy of the VM after using ipa-backup, and just to be
sure, is this the only command I need to use ?
Thank you
Regards,
Frederic
[9489] 1740749040.198732: Getting initial credentials for
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
[9489] 1740749040.198733: Looked up etypes in keytab: aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac, aes256-cts, aes128-cts,
des3-cbc-sha1, rc4-hmac
[9489] 1740749040.198735: Sending unauthenticated request
[9489] 1740749040.198736: Sending request (215 bytes) to
LIX.POLYTECHNIQUE.FR <http://LIX.POLYTECHNIQUE.FR>
[9489] 1740749040.198737: Initiating TCP connection to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198738: Sending TCP request to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198739: Received answer (352 bytes) from stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198740: Terminating TCP connection to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198741: Response was from master KDC
[9489] 1740749040.198742: Received error from KDC:
-1765328359/Additional pre-authentication required
[9489] 1740749040.198745: Preauthenticating using KDC method data
[9489] 1740749040.198746: Processing preauth types: PA-PK-AS-REQ
(16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST
(136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP
(2), PA-FX-COOKIE (133)
[9489] 1740749040.198747: Selected etype info: etype aes256-cts,
salt "B(H"|0MI*@=l?gT\", params ""
[9489] 1740749040.198748: Received cookie: MIT
[9489] 1740749040.198749: PKINIT client has no configured
identity; giving up
[9489] 1740749040.198750: Preauth module pkinit (147) (info)
returned: 0/Success
[9489] 1740749040.198751: PKINIT client has no configured
identity; giving up
[9489] 1740749040.198752: Preauth module pkinit (16) (real)
returned: 22/Argument invalide
[9489] 1740749040.198753: PKINIT client has no configured
identity; giving up
[9489] 1740749040.198754: Preauth module pkinit (14) (real)
returned: 22/Argument invalide
[9489] 1740749040.198755: Retrieving
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr> from
FILE:/tmp/gssproxy.keytab (vno 0, enctype aes256-cts) with
result: 0/Success
[9489] 1740749040.198756: AS key obtained for encrypted
timestamp: aes256-cts/E899
[9489] 1740749040.198758: Encrypted timestamp (for
1740749040.204474): plain
301AA011180F32303235303232383133323430305AA1050203031EBA,
encrypted
AA600EB73834E7A15065157CD2A52F22879365F57DC6465EC1D35B0B696C398FAAB109EA583E0E56FE1E68ADA7AE7BE66F1C62EAF70E21C0
[9489] 1740749040.198759: Preauth module encrypted_timestamp (2)
(real) returned: 0/Success
[9489] 1740749040.198760: Produced preauth for next request:
PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)
[9489] 1740749040.198761: Sending request (310 bytes) to
LIX.POLYTECHNIQUE.FR <http://LIX.POLYTECHNIQUE.FR>
[9489] 1740749040.198762: Initiating TCP connection to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198763: Sending TCP request to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198764: Received answer (815 bytes) from stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198765: Terminating TCP connection to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198766: Response was from master KDC
[9489] 1740749040.198767: Processing preauth types:
PA-ETYPE-INFO2 (19)
[9489] 1740749040.198768: Selected etype info: etype aes256-cts,
salt "B(H"|0MI*@=l?gT\", params ""
[9489] 1740749040.198769: Produced preauth for next request: (empty)
[9489] 1740749040.198770: AS key determined by preauth:
aes256-cts/E899
[9489] 1740749040.198771: Decrypted AS reply; session key is:
aes256-cts/6082
[9489] 1740749040.198772: FAST negotiation: available
[9489] 1740749040.198773: Initializing KEYRING:persistent:0:0
with default princ
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
[9489] 1740749040.198774: Storing
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr> ->
krbtgt/lix.polytechnique...@lix.polytechnique.fr
<mailto:krbtgt/lix.polytechnique...@lix.polytechnique.fr> in
KEYRING:persistent:0:0
[9489] 1740749040.198775: Storing config in
KEYRING:persistent:0:0 for
krbtgt/lix.polytechnique...@lix.polytechnique.fr
<mailto:krbtgt/lix.polytechnique...@lix.polytechnique.fr>:
fast_avail: yes
[9489] 1740749040.198776: Storing
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr> ->
krb5_ccache_conf_data/fast_avail/krbtgt\/LIX.POLYTECHNIQUE.FR
<http://LIX.POLYTECHNIQUE.FR>\@LIX.POLYTECHNIQUE.FR@X-CACHECONF:
in KEYRING:persistent:0:0
[9489] 1740749040.198777: Storing config in
KEYRING:persistent:0:0 for
krbtgt/lix.polytechnique...@lix.polytechnique.fr
<mailto:krbtgt/lix.polytechnique...@lix.polytechnique.fr>: pa_type: 2
[9489] 1740749040.198778: Storing
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr> ->
krb5_ccache_conf_data/pa_type/krbtgt\/LIX.POLYTECHNIQUE.FR
<http://LIX.POLYTECHNIQUE.FR>\@LIX.POLYTECHNIQUE.FR@X-CACHECONF:
in KEYRING:persistent:0:0
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
f...@lix.polytechnique.fr <mailto:f...@lix.polytechnique.fr>
Le 26/02/2025 à 15:30, Florence Blanc-Renaud via FreeIPA-users a
écrit :
Hi Frederic,
I see that there was an unwanted space in one of the commands I
provided, sorry about that:
ipa-getkeytab -r -p '
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>' -D
cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
(just between the opening ' and HTTP). Please retry without this
space:
ipa-getkeytab -r -p
'HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>' -D
cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
flo
On Mon, Feb 24, 2025 at 10:19 AM Frederic Ayrault
<f...@lix.polytechnique.fr <mailto:f...@lix.polytechnique.fr>> wrote:
Bonjour,
Le 30/01/2025 à 21:11, Frederic Ayrault via FreeIPA-users a
écrit :
> Bonsoir,
>
>
> Le 30/01/2025 à 20:58, Rob Crittenden a écrit :
>> Frederic Ayrault via FreeIPA-users wrote:
>>> Le 30/01/2025 à 13:48, Florence Blanc-Renaud a écrit :
>>>
>>>> try kinit with this one.
>> Can you show us the exact command you used?
>
> I tried this one :
>
> KRB5_TRACE=/dev/stderr kinit -kt /tmp/gssproxy.keytab
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr>
is this the correct command ?
if not, what should I try ?
and if it is the good one, do you have an idea what is the
problem ?
>
>> rob
>
> Thank you
>
> Regards,
>
> Frederic
>
>>
>>> but this fails
>>>
>>> [13189] 1738244077.982026: Resolving unique ccache of
type KEYRING
>>> [13189] 1738244077.982027: Getting initial credentials for
>>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr>
>>> [13189] 1738244077.982028: Looked up etypes in keytab:
(empty)
>>> [13189] 1738244077.982029: Getting initial credentials for
>>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr>
>>> [13189] 1738244077.982030: Looked up etypes in keytab:
(empty)
>>> kinit: Keytab contains no suitable keys for
>>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr> while
getting
>>> initial credentials
>>>
>
Thank you for your help
Regards,
Frederic
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
