liang fei via FreeIPA-users wrote:
Need a lot more information.
What version of IPA on client and server, and what distribution?
What is the context? Is this a new problem? Did it ever work? It appears
you're running this on a server, please confirm.
We need the apache error log (snippet) and relation lines from the KDC log.
Per your subsequent message, this probably has nothing to do with
certificates but the output is illuminating.
a-error: Error setting up ccache for "host" service on client using
default keytab: No such file or directory.
You are apparently missing /etc/krb5.keytab
Goes back to the history question. What has been going on with this
installation?
rob
freeipa4.3 All operations are performed on the CA machine,
Yes, for some reason, /etc/krb5.keytab does not exist and /etc/apache2.ipa.keytab kinit
was unsuccessful, so I did the following.
ipa-getkeytab -p
host/host.xx.com -k /etc/krb5.keytab
ipa-getkeytab -p HTTP/host.xx.com -e aes256-cts -k /tmp/spnego.service.keytab
ipa-getkeytab -p HTTP/host.xx.com -e aes128-cts -k /tmp/spnego.service.keytab
ipa-getkeytab -p HTTP/host.xx.com -e des3-hmac-sha1 -k /tmp/spnego.service.keytab
ipa-getkeytab -p HTTP/host.xx.com -e arcfour-hmac -k /tmp/spnego.service.keytab
ipa-getkeytab -p HTTP/host.xx.com -e camellia128-cts -k /tmp/spnego.service.keytab
ipa-getkeytab -p HTTP/host.xx.com -e camellia256-cts -k /tmp/spnego.service.keytab
cp /tmp/spnego.service.keytab /etc/security/ketabs
cp /tmp/spnego.service.keytab /etc/apache2/ipa.keytab
This exception should be an error related to the /etc/apache2/ipa.keytab file, because I
have a native /etc/krb5.keytab file on another test machine.Only perform the ipa -
getkeytab - p - e aes256 HTTP/host.xx.com - CTS - k/TMP/spnego. Service. Keytabr
operation, so this exception,
ipa user-find admin
...
ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type
'unicode'>; got 'No valid Negotiate header in server response' (a
<type 'str'>)
tailf /var/logs/apach2/error
[Tue Aug 30 11:32:32.237368 2022] [auth_gssapi:error] [pid 57977:tid 140374488082176]
[client 10.12.65.188:64398] gss_accept_sec_context() failed: [No credentials were
supplied, or the credentials were unavailable or inaccessible (Unknown error)], referer:
https://ipa-test-xx.com/ipa/xml