We have a keytab packit@FEDORAPROJECT.ORG which was working fine for a long time but suddenly from last week we are getting the error message mentioned above; debug logs
packit@FEDORAPROJECT.ORG
[1307539] 1619776369.002053: Preauth module encrypted_timestamp (2) (real) returned: 0/Success [1307539] 1619776369.002054: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2) [1307539] 1619776369.002055: Sending request (304 bytes) to FEDORAPROJECT.ORG [1307539] 1619776369.002056: Resolving hostname id.fedoraproject.org [1307539] 1619776370.168452: TLS certificate name matched "id.fedoraproject.org" [1307539] 1619776370.168453: Sending HTTPS request to https 209.132.190.2:443 [1307539] 1619776370.168454: Received answer (312 bytes) from https 209.132.190.2:443 [1307539] 1619776370.168455: Terminating TCP connection to https 209.132.190.2:443 [1307539] 1619776370.168456: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [1307539] 1619776370.168457: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [1307539] 1619776370.168458: Response was from master KDC [1307539] 1619776370.168459: Received error from KDC: -1765328360/Preauthentication failed kinit: Preauthentication failed while getting initial credentials
I personally have no idea what this means.
Do we need a new keytab?
We have changed password for the packit user a week ago (after FAS migration) - could that be the problem?
Upstream ticket: https://github.com/packit/packit-service/issues/1077
~
After changing password you will need to generate a new keytab.
You should be able to do this using the ipa-getkeytab command as outlined here https://www.ibm.com/support/pages/cloud-regenerate-new-keytab-file-after-user-password-change
OK, thanks. But what's the FQDN of the IPA server to retrieve the keytab from?
$ man ipa-getkeytab -s ipaserver The IPA server to retrieve the keytab from (FQDN). If this option is not provided the server name is read from the IPA configuration file (/etc/ipa/default.conf).
I don't have any /etc/ipa/default.conf even with freeipa-client-common installed.
/etc/ipa/default.conf
freeipa-client-common
We tried the IPA serveri @abompard mentioned in another ticket, ipa01.iad2.fedoraproject.org, but it's not available on the internet.
ipa01.iad2.fedoraproject.org
I tried
$ ipa-getkeytab -s id.fedoraproject.org -p packit@FEDORAPROJECT.ORG -k ./fedora.keytab --password New Principal Password: Verify Principal Password: Unable to create new TLS context (OpenSSL failed to initialize or to load certificates) Can't contact LDAP server Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... Unable to create new TLS context (OpenSSL failed to initialize or to load certificates) Can't contact LDAP server Failed to bind to server! Failed to get keytab
Try:
https://pagure.io/fedora-infra/howtos/blob/main/f/create_keytab.md
Metadata Update from @asaleh: - Issue priority set to: Waiting on External (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble
Jirka probably forgot to reply here. We managed to generate a keytab using the guide and authenticate with it successfully. Thank you so much, Kevin!
Metadata Update from @ttomecek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.