Ronald Wimmer via FreeIPA-users wrote:
On 07.06.23 14:25, Simo Sorce via FreeIPA-users wrote:
On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users wrote:
On 19.09.17 12:07, Alexander Bokovoy wrote:
On ti, 19 syys 2017, Ronald Wimmer wrote:
On 2017-09-19 11:53, Alexander Bokovoy wrote:
[...] Please spend some time reading the documentation. It is vast and has a lot of answers to questions people keep asking on these lists.
I've already spent some time reading the documentation. Since "ipa-getkeytab" worked I was not aware of the fact that "ipa-getkeytab -r" would need:
ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com --hosts={node01.idm.example.com,node02.idm.example.com}
That's why I gave you these links as you have obviously didn't read them.
Glad that it works now.
As we ran into this problem again it should be mentioned that restarting gssproxy.service can be necessary.
In our case Apache was looking for a KVNO 1 whereas the actual file did already have version number 4.
FWIW, gssapi should pick up new keys in keytabs without the need to restart.
I had to fetch a new keytab for this particular host as the host was accidentally deleted in IPA. (would the old keytab file on the server still have worked after re-adding the host in IPA?)
The old keytab would not work. A keytab contains a secret. That is used to authenticate. If the value doesn't exist on the server, auth fails.
rob