Steps to reproduce:
[root@vm-058-129 ~]# ipa ping ipa: ERROR: No valid Negotiate header in server response
httpd error log:
[Thu Mar 09 18:43:50.024163 2017] [auth_gssapi:error] [pid 77550] [client 2620:52:0:224e:21a:4aff:fe23:1211:42306] gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)], referer: https://vm-058-129.abc.idm.lab.eng.brq.redhat.com/ipa/xml
Metadata Update from @mbasti: - Issue tagged with: regression
Metadata Update from @mbasti: - Issue priority set to: 1 - Issue set to the milestone: FreeIPA 4.5
Probably caused as neither KDC_CERT nor KDC_KEY are backed up.
Metadata Update from @stlaz: - Issue assigned to stlaz
I see the same error on clean server install occasionally.
Metadata Update from @stlaz: - Assignee reset
This is due to gssproxy failing to renew expired credential. I opened originally a bug at mod_auth_gssapi but it is really in gssproxy. See https://github.com/modauthgssapi/mod_auth_gssapi/issues/133
I'm going to file a bug against gssproxy.
master:
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
ipa-4-5:
even with all those patches user cannot connect to webUI after ipa-restore
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1436338
Issue linked to bug 1436338
dc13703 Backup CA cert from kerberos folder ipa-4-5:
9fdc27b Backup CA cert from kerberos folder
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.