Le 05/03/2025 à 14:57, Florence Blanc-Renaud a écrit :
Hi,
On Wed, Mar 5, 2025 at 11:55 AM Frederic Ayrault
<f...@lix.polytechnique.fr <mailto:f...@lix.polytechnique.fr>> wrote:
Bonjour,
Sorry I explained myself badly, I was thinking of the "final" step
after
- ipa-getkeytab -r -p
'HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>' -D
cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
- klist -kte /tmp/gssproxy.keytab
- KRB5_TRACE=/dev/stderr kinit -kt
/var/lib/ipa/gssproxy/http.keytab $PRINCIPAL (which was failing
before because of the typo)
In one previous answer, you said
If it succeeds, replace the file
/var/lib/ipa/gssproxy/http.keytab with /tmp/gssproxy.keytab (make
a backup first) and restart ipa services with ipactl restart.
I meant "make a backup of the file /var/lib/ipa/gssproxy/http.keytab"
= copy it somewhere in case you need to recover it.
"ipactl restart" will make your server temporarily unavailable but
replication resumes automatically when it comes back.
Hope this clarifies,
Sorry for my misunderstanding. I have juste replaced the file and
restart ipa,
login and ipa ping works now :-)
Thank you very much
flo
You should also check that there is no replication issue between
your servers.
That's why I asked noob questions about backup and replicas.
Thank you for your help
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
f...@lix.polytechnique.fr <mailto:f...@lix.polytechnique.fr>
Le 05/03/2025 à 09:26, Florence Blanc-Renaud a écrit :
Hi,
On Fri, Feb 28, 2025 at 2:40 PM Frederic Ayrault
<f...@lix.polytechnique.fr <mailto:f...@lix.polytechnique.fr>> wrote:
Bonjour,
Sorry for the late answer, look like it is working (I put the
log hereafter)
One of my replica is down because of electrical problems so I
prefer to wait before replacing /var/lib/ipa/gssproxy/http.keytab
To avoid any replication issue, is there any precaution to
take with the replicas,
stop ipa using ipactl, poweroff the servers or someting else ?
The ipa-getkeytab -r operation does not write anything in LDAP,
it just retrieves an existing value. It means you don't need to
worry about the other replicas.
flo
I will do a copy of the VM after using ipa-backup, and just
to be sure, is this the only command I need to use ?
Thank you
Regards,
Frederic
[9489] 1740749040.198732: Getting initial credentials for
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
[9489] 1740749040.198733: Looked up etypes in keytab:
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, aes256-cts,
aes128-cts, des3-cbc-sha1, rc4-hmac
[9489] 1740749040.198735: Sending unauthenticated request
[9489] 1740749040.198736: Sending request (215 bytes) to
LIX.POLYTECHNIQUE.FR <http://LIX.POLYTECHNIQUE.FR>
[9489] 1740749040.198737: Initiating TCP connection to
stream 193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198738: Sending TCP request to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198739: Received answer (352 bytes) from
stream 193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198740: Terminating TCP connection to
stream 193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198741: Response was from master KDC
[9489] 1740749040.198742: Received error from KDC:
-1765328359/Additional pre-authentication required
[9489] 1740749040.198745: Preauthenticating using KDC method
data
[9489] 1740749040.198746: Processing preauth types:
PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD
(14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX
(147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[9489] 1740749040.198747: Selected etype info: etype
aes256-cts, salt "B(H"|0MI*@=l?gT\", params ""
[9489] 1740749040.198748: Received cookie: MIT
[9489] 1740749040.198749: PKINIT client has no configured
identity; giving up
[9489] 1740749040.198750: Preauth module pkinit (147) (info)
returned: 0/Success
[9489] 1740749040.198751: PKINIT client has no configured
identity; giving up
[9489] 1740749040.198752: Preauth module pkinit (16) (real)
returned: 22/Argument invalide
[9489] 1740749040.198753: PKINIT client has no configured
identity; giving up
[9489] 1740749040.198754: Preauth module pkinit (14) (real)
returned: 22/Argument invalide
[9489] 1740749040.198755: Retrieving
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
from FILE:/tmp/gssproxy.keytab (vno 0, enctype aes256-cts)
with result: 0/Success
[9489] 1740749040.198756: AS key obtained for encrypted
timestamp: aes256-cts/E899
[9489] 1740749040.198758: Encrypted timestamp (for
1740749040.204474): plain
301AA011180F32303235303232383133323430305AA1050203031EBA,
encrypted
AA600EB73834E7A15065157CD2A52F22879365F57DC6465EC1D35B0B696C398FAAB109EA583E0E56FE1E68ADA7AE7BE66F1C62EAF70E21C0
[9489] 1740749040.198759: Preauth module encrypted_timestamp
(2) (real) returned: 0/Success
[9489] 1740749040.198760: Produced preauth for next request:
PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)
[9489] 1740749040.198761: Sending request (310 bytes) to
LIX.POLYTECHNIQUE.FR <http://LIX.POLYTECHNIQUE.FR>
[9489] 1740749040.198762: Initiating TCP connection to
stream 193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198763: Sending TCP request to stream
193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198764: Received answer (815 bytes) from
stream 193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198765: Terminating TCP connection to
stream 193.55.176.152:88 <http://193.55.176.152:88>
[9489] 1740749040.198766: Response was from master KDC
[9489] 1740749040.198767: Processing preauth types:
PA-ETYPE-INFO2 (19)
[9489] 1740749040.198768: Selected etype info: etype
aes256-cts, salt "B(H"|0MI*@=l?gT\", params ""
[9489] 1740749040.198769: Produced preauth for next request:
(empty)
[9489] 1740749040.198770: AS key determined by preauth:
aes256-cts/E899
[9489] 1740749040.198771: Decrypted AS reply; session key
is: aes256-cts/6082
[9489] 1740749040.198772: FAST negotiation: available
[9489] 1740749040.198773: Initializing
KEYRING:persistent:0:0 with default princ
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
[9489] 1740749040.198774: Storing
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
-> krbtgt/lix.polytechnique...@lix.polytechnique.fr
<mailto:krbtgt/lix.polytechnique...@lix.polytechnique.fr> in
KEYRING:persistent:0:0
[9489] 1740749040.198775: Storing config in
KEYRING:persistent:0:0 for
krbtgt/lix.polytechnique...@lix.polytechnique.fr
<mailto:krbtgt/lix.polytechnique...@lix.polytechnique.fr>:
fast_avail: yes
[9489] 1740749040.198776: Storing
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
->
krb5_ccache_conf_data/fast_avail/krbtgt\/LIX.POLYTECHNIQUE.FR
<http://LIX.POLYTECHNIQUE.FR>\@LIX.POLYTECHNIQUE.FR@X-CACHECONF:
in KEYRING:persistent:0:0
[9489] 1740749040.198777: Storing config in
KEYRING:persistent:0:0 for
krbtgt/lix.polytechnique...@lix.polytechnique.fr
<mailto:krbtgt/lix.polytechnique...@lix.polytechnique.fr>:
pa_type: 2
[9489] 1740749040.198778: Storing
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>
->
krb5_ccache_conf_data/pa_type/krbtgt\/LIX.POLYTECHNIQUE.FR
<http://LIX.POLYTECHNIQUE.FR>\@LIX.POLYTECHNIQUE.FR@X-CACHECONF:
in KEYRING:persistent:0:0
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
f...@lix.polytechnique.fr <mailto:f...@lix.polytechnique.fr>
Le 26/02/2025 à 15:30, Florence Blanc-Renaud via
FreeIPA-users a écrit :
Hi Frederic,
I see that there was an unwanted space in one of the
commands I provided, sorry about that:
ipa-getkeytab -r -p '
HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>'
-D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
(just between the opening ' and HTTP). Please retry without
this space:
ipa-getkeytab -r -p
'HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr>'
-D cn=directory\ manager -w Secret123 -k /tmp/gssproxy.keytab
flo
On Mon, Feb 24, 2025 at 10:19 AM Frederic Ayrault
<f...@lix.polytechnique.fr
<mailto:f...@lix.polytechnique.fr>> wrote:
Bonjour,
Le 30/01/2025 à 21:11, Frederic Ayrault via
FreeIPA-users a écrit :
> Bonsoir,
>
>
> Le 30/01/2025 à 20:58, Rob Crittenden a écrit :
>> Frederic Ayrault via FreeIPA-users wrote:
>>> Le 30/01/2025 à 13:48, Florence Blanc-Renaud a écrit :
>>>
>>>> try kinit with this one.
>> Can you show us the exact command you used?
>
> I tried this one :
>
> KRB5_TRACE=/dev/stderr kinit -kt /tmp/gssproxy.keytab
> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr>
is this the correct command ?
if not, what should I try ?
and if it is the good one, do you have an idea what is
the problem ?
>
>> rob
>
> Thank you
>
> Regards,
>
> Frederic
>
>>
>>> but this fails
>>>
>>> [13189] 1738244077.982026: Resolving unique ccache
of type KEYRING
>>> [13189] 1738244077.982027: Getting initial
credentials for
>>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr>
>>> [13189] 1738244077.982028: Looked up etypes in
keytab: (empty)
>>> [13189] 1738244077.982029: Getting initial
credentials for
>>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr>
>>> [13189] 1738244077.982030: Looked up etypes in
keytab: (empty)
>>> kinit: Keytab contains no suitable keys for
>>> HTTP/ipa4.lix.polytechnique...@lix.polytechnique.fr
<mailto:ipa4.lix.polytechnique...@lix.polytechnique.fr>
while getting
>>> initial credentials
>>>
>
Thank you for your help
Regards,
Frederic
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
