Serge Krawczenko via FreeIPA-users wrote:
keytab file for user principal
ipa-getkeytab -p user@REALM -k keytab.file
in order to initiate it like
kinit -kt keytab.file
and they perform ldapsearch -Y or ipa <some-command> from scripts for
example
and the questions are:
how could ipa-getkeytab corrupt the entire kerberos subsystem?
what is the proper way to generate this keytab
Getting a keytab for a user changes their password.
It's hard to know what is going on with so few details. You mentioned
scripts, that this affects all users. But you only got a keytab for admin?
So I guess we need to see what you're really executing (have executed)
to figure out what is going on.
So no users at all work? How? They can't kinit? They can't use the
resulting ticket? Against which services?
rob
thank you
On Tue, Jun 21, 2022 at 6:51 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
skrawczenko--- via FreeIPA-users wrote:
> Hello again.
>
> I gave up restoring certificates as discussed in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> While i had to recover the service and rescue data at any cost
>
> So my decision was probably wrong but i didn't have options
> I deployed RedHat instead of CentOS and then deployed fresh IPA 4.9.8
>
> Then i migrated directory from the old cluster excluding kerberos
fields and some service accounts/groups
> Rebuilt DNS etc
>
> Initially everything was good at least users, groups and
credentials were saved.
> But further configuration resulted some troubles. Briefly, i can't
run commands as admin and anyone else
>
> kinit admin
> Password for admin@<REALM>
> [root@idm0 ~]# klist
> Ticket cache: KCM:0
> Default principal: admin@<REALM>
>
> Valid starting Expires Service principal
> 06/20/22 07:42:19 06/21/22 06:42:23 krbtgt/<REALM>@<REALM>
>
> [root@idm0 ~]# ipa user-show admin
> ipa: ERROR: cannot connect to
'https://idm0...../ipa/session/json': Exceeded number of tries to
forward a request.
>
> kinit <any other user>
>
> ipa user-show <any other user>
> ipa: ERROR: Insufficient access: Invalid credentials
>
>
> and /var/log/httpd/error.log has
> ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credential
>
> What could be broken? This happened while i was trying to generate
a keytab for kinit -kt <file> scripts...
You got a keytab for what? A user, service, other?
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure