On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users
wrote:
On 19.09.17 12:07, Alexander Bokovoy wrote:
> On ti, 19 syys 2017, Ronald Wimmer wrote:
> > On 2017-09-19 11:53, Alexander Bokovoy wrote:
> > > [...]
> > > Please spend some time reading the documentation. It is vast and has a
> > > lot of answers to questions people keep asking on these lists.
> >
> > I've already spent some time reading the documentation. Since
> > "ipa-getkeytab" worked I was not aware of the fact that
"ipa-getkeytab
> > -r" would need:
> >
> > ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com
--hosts={node01.idm.example.com,node02.idm.example.com}
> That's why I gave you these links as you have obviously didn't read
> them.
>
> Glad that it works now.
As we ran into this problem again it should be mentioned that restarting
gssproxy.service can be necessary.
In our case Apache was looking for a KVNO 1 whereas the actual file did
already have version number 4.
FWIW, gssapi should pick up new keys in keytabs without the need to
restart.
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc