#6748 CLI doesn't work after ipa-restore
Closed: fixed 2 years ago Opened 2 years ago by mbasti.

Steps to reproduce:

  • ipa-backup
  • ipa-server-install --uninstall
  • ipa-restore
  • kinit admin
  • ipa ping
[root@vm-058-129 ~]# ipa ping
ipa: ERROR: No valid Negotiate header in server response

httpd error log:

[Thu Mar 09 18:43:50.024163 2017] [auth_gssapi:error] [pid 77550] [client 2620:52:0:224e:21a:4aff:fe23:1211:42306] gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure.  Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)], referer: https://vm-058-129.abc.idm.lab.eng.brq.redhat.com/ipa/xml

Metadata Update from @mbasti:
- Issue tagged with: regression

2 years ago

Metadata Update from @mbasti:
- Issue priority set to: 1
- Issue set to the milestone: FreeIPA 4.5

2 years ago

Probably caused as neither KDC_CERT nor KDC_KEY are backed up.

Metadata Update from @stlaz:
- Issue assigned to stlaz

2 years ago

I see the same error on clean server install occasionally.

Metadata Update from @stlaz:
- Assignee reset

2 years ago

This is due to gssproxy failing to renew expired credential. I opened originally a bug at mod_auth_gssapi but it is really in gssproxy. See https://github.com/modauthgssapi/mod_auth_gssapi/issues/133

I'm going to file a bug against gssproxy.

Metadata Update from @stlaz:
- Issue assigned to stlaz

2 years ago

master:

  • ee6d031 Backup KDC certificate pair

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

2 years ago

master:

  • 2612c09 Backup ipa-specific httpd unit-file

ipa-4-5:

  • 59342a7 Backup ipa-specific httpd unit-file

even with all those patches user cannot connect to webUI after ipa-restore

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436338

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436338

2 years ago

master:

  • dc13703 Backup CA cert from kerberos folder
    ipa-4-5:

  • 9fdc27b Backup CA cert from kerberos folder

Metadata Update from @tkrizek:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata