Serge Krawczenko via FreeIPA-users wrote:
keytab file for user principal ipa-getkeytab -p user@REALM -k keytab.file
in order to initiate it like kinit -kt keytab.file
and they perform ldapsearch -Y or ipa <some-command> from scripts for example
and the questions are: how could ipa-getkeytab corrupt the entire kerberos subsystem? what is the proper way to generate this keytab
Getting a keytab for a user changes their password.
It's hard to know what is going on with so few details. You mentioned scripts, that this affects all users. But you only got a keytab for admin?
So I guess we need to see what you're really executing (have executed) to figure out what is going on.
So no users at all work? How? They can't kinit? They can't use the resulting ticket? Against which services?
rob
thank you
On Tue, Jun 21, 2022 at 6:51 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
skrawczenko--- via FreeIPA-users wrote: > Hello again. > > I gave up restoring certificates as discussed in https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/HAP3ZPJUPQQ7OM7H4PL7Y5WBC5E43J25/ > While i had to recover the service and rescue data at any cost > > So my decision was probably wrong but i didn't have options > I deployed RedHat instead of CentOS and then deployed fresh IPA 4.9.8 > > Then i migrated directory from the old cluster excluding kerberos fields and some service accounts/groups > Rebuilt DNS etc > > Initially everything was good at least users, groups and credentials were saved. > But further configuration resulted some troubles. Briefly, i can't run commands as admin and anyone else > > kinit admin > Password for admin@<REALM> > [root@idm0 ~]# klist > Ticket cache: KCM:0 > Default principal: admin@<REALM> > > Valid starting Expires Service principal > 06/20/22 07:42:19 06/21/22 06:42:23 krbtgt/<REALM>@<REALM> > > [root@idm0 ~]# ipa user-show admin > ipa: ERROR: cannot connect to 'https://idm0...../ipa/session/json': Exceeded number of tries to forward a request. > > kinit <any other user> > > ipa user-show <any other user> > ipa: ERROR: Insufficient access: Invalid credentials > > > and /var/log/httpd/error.log has > ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credential > > What could be broken? This happened while i was trying to generate a keytab for kinit -kt <file> scripts... You got a keytab for what? A user, service, other? rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure