On Wed, 2023-06-07 at 14:35 +0200, Ronald Wimmer via FreeIPA-users wrote:
On 07.06.23 14:25, Simo Sorce via FreeIPA-users wrote:
On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users wrote:
On 19.09.17 12:07, Alexander Bokovoy wrote:
On ti, 19 syys 2017, Ronald Wimmer wrote:
On 2017-09-19 11:53, Alexander Bokovoy wrote:
[...] Please spend some time reading the documentation. It is vast and has a lot of answers to questions people keep asking on these lists.
I've already spent some time reading the documentation. Since "ipa-getkeytab" worked I was not aware of the fact that "ipa-getkeytab -r" would need:
ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com --hosts={node01.idm.example.com,node02.idm.example.com}
That's why I gave you these links as you have obviously didn't read them.
Glad that it works now.
As we ran into this problem again it should be mentioned that restarting gssproxy.service can be necessary.
In our case Apache was looking for a KVNO 1 whereas the actual file did already have version number 4.
FWIW, gssapi should pick up new keys in keytabs without the need to restart.
I had to fetch a new keytab for this particular host as the host was accidentally deleted in IPA. (would the old keytab file on the server still have worked after re-adding the host in IPA?)
Not really. However for a server, if you re-key the principal you SHOULD preserve the old key in the keytab and just add the new key in, not replace the keytab.
Because any client that already has obtained a ticket for the server will not go and refresh it until it expires. So if you just replace the keytab you will have a communication breakout with exisitng clients that can last hours (unless they delete and re-init their credential cache).
The old key can be remove after all tickets are expired, the expiration time used for TGT is a good measure to know for how long you should keep the old key in (could be anythign from hours to days).
Simo.