[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server response

Florence Blanc-Renaud via FreeIPA-users Wed, 05 Mar 2025 05:58:18 -0800

Hi,

On Wed, Mar 5, 2025 at 11:55 AM Frederic Ayrault <f...@lix.polytechnique.fr>
wrote:


> Bonjour,
>
> Sorry I explained myself badly, I was thinking of the "final" step after
> - ipa-getkeytab -r -p 'HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr'
> -D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
> - klist -kte /tmp/gssproxy.keytab
> - KRB5_TRACE=/dev/stderr  kinit -kt  /var/lib/ipa/gssproxy/http.keytab
> $PRINCIPAL (which was failing before because of the typo)
>
> In one previous answer, you said
>
> If it succeeds, replace the file /var/lib/ipa/gssproxy/http.keytab with
> /tmp/gssproxy.keytab (make a backup first) and restart ipa services with
> ipactl restart.
>
> I meant "make a backup of the file  /var/lib/ipa/gssproxy/http.keytab" =
copy it somewhere in case you need to recover it.
"ipactl restart" will make your server temporarily unavailable but
replication resumes automatically when it comes back.

Hope this clarifies,
flo

>
> You should also check that there is no replication issue between your
> servers.
>
>
> That's why I asked noob questions about backup and replicas.
>
> Thank you for your help
>
> Regards,
>
> Frederic
>
> Frédéric AYRAULT
> Administrateur Systèmes et Réseaux
> Laboratoire d'Informatique de l'Ecole polytechnique
> <http://www.lix.polytechnique.fr>
> f...@lix.polytechnique.fr
>
> Le 05/03/2025 à 09:26, Florence Blanc-Renaud a écrit :
>
> Hi,
>
> On Fri, Feb 28, 2025 at 2:40 PM Frederic Ayrault <
> f...@lix.polytechnique.fr> wrote:
>
>> Bonjour,
>>
>> Sorry for the late answer, look like it is working (I put the log
>> hereafter)
>>
>> One of my replica is down because of electrical problems so I prefer to
>> wait before replacing /var/lib/ipa/gssproxy/http.keytab
>>
>> To avoid any replication issue, is there any precaution to take with the
>> replicas,
>> stop ipa using ipactl, poweroff the servers or someting else ?
>>
> The ipa-getkeytab -r operation does not write anything in LDAP, it just
> retrieves an existing value. It means you don't need to worry about the
> other replicas.
> flo
>
>>
>> I will do a copy of the VM after using ipa-backup, and just to be sure,
>> is this the only command I need to use ?
>>
>> Thank you
>>
>> Regards,
>>
>> Frederic
>>
>> [9489] 1740749040.198732: Getting initial credentials for
>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
>> [9489] 1740749040.198733: Looked up etypes in keytab: aes256-cts,
>> aes128-cts, des3-cbc-sha1, rc4-hmac, aes256-cts, aes128-cts, des3-cbc-sha1,
>> rc4-hmac
>> [9489] 1740749040.198735: Sending unauthenticated request
>> [9489] 1740749040.198736: Sending request (215 bytes) to
>> LIX.POLYTECHNIQUE.FR
>> [9489] 1740749040.198737: Initiating TCP connection to stream
>> 193.55.176.152:88
>> [9489] 1740749040.198738: Sending TCP request to stream 193.55.176.152:88
>> [9489] 1740749040.198739: Received answer (352 bytes) from stream
>> 193.55.176.152:88
>> [9489] 1740749040.198740: Terminating TCP connection to stream
>> 193.55.176.152:88
>> [9489] 1740749040.198741: Response was from master KDC
>> [9489] 1740749040.198742: Received error from KDC: -1765328359/Additional
>> pre-authentication required
>> [9489] 1740749040.198745: Preauthenticating using KDC method data
>> [9489] 1740749040.198746: Processing preauth types: PA-PK-AS-REQ (16),
>> PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136),
>> PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE
>> (133)
>> [9489] 1740749040.198747: Selected etype info: etype aes256-cts, salt
>> "B(H"|0MI*@=l?gT\", params ""
>> [9489] 1740749040.198748: Received cookie: MIT
>> [9489] 1740749040.198749: PKINIT client has no configured identity;
>> giving up
>> [9489] 1740749040.198750: Preauth module pkinit (147) (info) returned:
>> 0/Success
>> [9489] 1740749040.198751: PKINIT client has no configured identity;
>> giving up
>> [9489] 1740749040.198752: Preauth module pkinit (16) (real) returned:
>> 22/Argument invalide
>> [9489] 1740749040.198753: PKINIT client has no configured identity;
>> giving up
>> [9489] 1740749040.198754: Preauth module pkinit (14) (real) returned:
>> 22/Argument invalide
>> [9489] 1740749040.198755: Retrieving
>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr from
>> FILE:/tmp/gssproxy.keytab (vno 0, enctype aes256-cts) with result:
>> 0/Success
>> [9489] 1740749040.198756: AS key obtained for encrypted timestamp:
>> aes256-cts/E899
>> [9489] 1740749040.198758: Encrypted timestamp (for 1740749040.204474):
>> plain 301AA011180F32303235303232383133323430305AA1050203031EBA, encrypted
>> AA600EB73834E7A15065157CD2A52F22879365F57DC6465EC1D35B0B696C398FAAB109EA583E0E56FE1E68ADA7AE7BE66F1C62EAF70E21C0
>> [9489] 1740749040.198759: Preauth module encrypted_timestamp (2) (real)
>> returned: 0/Success
>> [9489] 1740749040.198760: Produced preauth for next request: PA-FX-COOKIE
>> (133), PA-ENC-TIMESTAMP (2)
>> [9489] 1740749040.198761: Sending request (310 bytes) to
>> LIX.POLYTECHNIQUE.FR
>> [9489] 1740749040.198762: Initiating TCP connection to stream
>> 193.55.176.152:88
>> [9489] 1740749040.198763: Sending TCP request to stream 193.55.176.152:88
>> [9489] 1740749040.198764: Received answer (815 bytes) from stream
>> 193.55.176.152:88
>> [9489] 1740749040.198765: Terminating TCP connection to stream
>> 193.55.176.152:88
>> [9489] 1740749040.198766: Response was from master KDC
>> [9489] 1740749040.198767: Processing preauth types: PA-ETYPE-INFO2 (19)
>> [9489] 1740749040.198768: Selected etype info: etype aes256-cts, salt
>> "B(H"|0MI*@=l?gT\", params ""
>> [9489] 1740749040.198769: Produced preauth for next request: (empty)
>> [9489] 1740749040.198770: AS key determined by preauth: aes256-cts/E899
>> [9489] 1740749040.198771: Decrypted AS reply; session key is:
>> aes256-cts/6082
>> [9489] 1740749040.198772: FAST negotiation: available
>> [9489] 1740749040.198773: Initializing KEYRING:persistent:0:0 with
>> default princ HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
>> [9489] 1740749040.198774: Storing
>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr ->
>> krbtgt/lix.polytechnique...@lix.polytechnique.fr in
>> KEYRING:persistent:0:0
>> [9489] 1740749040.198775: Storing config in KEYRING:persistent:0:0 for
>> krbtgt/lix.polytechnique...@lix.polytechnique.fr: fast_avail: yes
>> [9489] 1740749040.198776: Storing
>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr ->
>> krb5_ccache_conf_data/fast_avail/krbtgt\/LIX.POLYTECHNIQUE.FR
>> \@LIX.POLYTECHNIQUE.FR@X-CACHECONF: in KEYRING:persistent:0:0
>> [9489] 1740749040.198777: Storing config in KEYRING:persistent:0:0 for
>> krbtgt/lix.polytechnique...@lix.polytechnique.fr: pa_type: 2
>> [9489] 1740749040.198778: Storing
>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr ->
>> krb5_ccache_conf_data/pa_type/krbtgt\/LIX.POLYTECHNIQUE.FR
>> \@LIX.POLYTECHNIQUE.FR@X-CACHECONF: in KEYRING:persistent:0:0
>>
>>
>>
>>
>> Frédéric AYRAULT
>> Administrateur Systèmes et Réseaux
>> Laboratoire d'Informatique de l'Ecole polytechnique
>> <http://www.lix.polytechnique.fr>
>> f...@lix.polytechnique.fr
>>
>> Le 26/02/2025 à 15:30, Florence Blanc-Renaud via FreeIPA-users a écrit :
>>
>> Hi Frederic,
>>
>> I see that there was an unwanted space in one of the commands I provided,
>> sorry about that:
>> ipa-getkeytab -r -p ' HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr'
>> -D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
>>
>> (just between the opening ' and HTTP). Please retry without this space:
>> ipa-getkeytab -r -p 'HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr'
>> -D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
>>
>> flo
>>
>> On Mon, Feb 24, 2025 at 10:19 AM Frederic Ayrault <
>> f...@lix.polytechnique.fr> wrote:
>>
>>> Bonjour,
>>>
>>> Le 30/01/2025 à 21:11, Frederic Ayrault via FreeIPA-users a écrit :
>>> > Bonsoir,
>>> >
>>> >
>>> > Le 30/01/2025 à 20:58, Rob Crittenden a écrit :
>>> >> Frederic Ayrault via FreeIPA-users wrote:
>>> >>> Le 30/01/2025 à 13:48, Florence Blanc-Renaud a écrit :
>>> >>>
>>> >>>> try kinit with this one.
>>> >> Can you show us the exact command you used?
>>> >
>>> > I tried this one :
>>> >
>>> > KRB5_TRACE=/dev/stderr  kinit -kt /tmp/gssproxy.keytab
>>> > HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
>>>
>>> is this the correct command ?
>>>
>>> if not, what should I try ?
>>>
>>> and if it is the good one, do you have an idea what is the problem ?
>>>
>>> >
>>> >> rob
>>> >
>>> > Thank you
>>> >
>>> > Regards,
>>> >
>>> > Frederic
>>> >
>>> >>
>>> >>> but this fails
>>> >>>
>>> >>> [13189] 1738244077.982026: Resolving unique ccache of type KEYRING
>>> >>> [13189] 1738244077.982027: Getting initial credentials for
>>> >>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
>>> >>> [13189] 1738244077.982028: Looked up etypes in keytab: (empty)
>>> >>> [13189] 1738244077.982029: Getting initial credentials for
>>> >>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
>>> >>> [13189] 1738244077.982030: Looked up etypes in keytab: (empty)
>>> >>> kinit: Keytab contains no suitable keys for
>>> >>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr while getting
>>> >>> initial credentials
>>> >>>
>>> >
>>>
>>> Thank you for your help
>>>
>>> Regards,
>>>
>>> Frederic
>>>
>>>
>>>
>>
>>
>

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: No valid Negotiate header in server response

Reply via email to