Ronald Wimmer via FreeIPA-users wrote:
On 07.06.23 14:25, Simo Sorce via FreeIPA-users wrote:
> On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users
> wrote:
>> On 19.09.17 12:07, Alexander Bokovoy wrote:
>>> On ti, 19 syys 2017, Ronald Wimmer wrote:
>>>> On 2017-09-19 11:53, Alexander Bokovoy wrote:
>>>>> [...]
>>>>> Please spend some time reading the documentation. It is vast and
>>>>> has a
>>>>> lot of answers to questions people keep asking on these lists.
>>>>
>>>> I've already spent some time reading the documentation. Since
>>>> "ipa-getkeytab" worked I was not aware of the fact that
"ipa-getkeytab
>>>> -r" would need:
>>>>
>>>> ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com
>>>> --hosts={node01.idm.example.com,node02.idm.example.com}
>>> That's why I gave you these links as you have obviously didn't read
>>> them.
>>>
>>> Glad that it works now.
>>
>> As we ran into this problem again it should be mentioned that restarting
>> gssproxy.service can be necessary.
>>
>> In our case Apache was looking for a KVNO 1 whereas the actual file did
>> already have version number 4.
>
>
> FWIW, gssapi should pick up new keys in keytabs without the need to
> restart.
I had to fetch a new keytab for this particular host as the host was
accidentally deleted in IPA. (would the old keytab file on the server
still have worked after re-adding the host in IPA?)
The old keytab would not work. A keytab contains a secret. That is used
to authenticate. If the value doesn't exist on the server, auth fails.
rob