On Wed, 2023-06-07 at 14:35 +0200, Ronald Wimmer via FreeIPA-users
wrote:
On 07.06.23 14:25, Simo Sorce via FreeIPA-users wrote:
> On Wed, 2023-06-07 at 10:36 +0200, Ronald Wimmer via FreeIPA-users
> wrote:
> > On 19.09.17 12:07, Alexander Bokovoy wrote:
> > > On ti, 19 syys 2017, Ronald Wimmer wrote:
> > > > On 2017-09-19 11:53, Alexander Bokovoy wrote:
> > > > > [...]
> > > > > Please spend some time reading the documentation. It is vast and
has a
> > > > > lot of answers to questions people keep asking on these lists.
> > > >
> > > > I've already spent some time reading the documentation. Since
> > > > "ipa-getkeytab" worked I was not aware of the fact that
"ipa-getkeytab
> > > > -r" would need:
> > > >
> > > > ipa service-allow-retrieve-keytab HTTP/cluster.idm.example.com
--hosts={node01.idm.example.com,node02.idm.example.com}
> > > That's why I gave you these links as you have obviously didn't
read
> > > them.
> > >
> > > Glad that it works now.
> >
> > As we ran into this problem again it should be mentioned that restarting
> > gssproxy.service can be necessary.
> >
> > In our case Apache was looking for a KVNO 1 whereas the actual file did
> > already have version number 4.
>
>
> FWIW, gssapi should pick up new keys in keytabs without the need to
> restart.
I had to fetch a new keytab for this particular host as the host was
accidentally deleted in IPA. (would the old keytab file on the server
still have worked after re-adding the host in IPA?)
Not really.
However for a server, if you re-key the principal you SHOULD preserve
the old key in the keytab and just add the new key in, not replace the
keytab.
Because any client that already has obtained a ticket for the server
will not go and refresh it until it expires. So if you just replace the
keytab you will have a communication breakout with exisitng clients
that can last hours (unless they delete and re-init their credential
cache).
The old key can be remove after all tickets are expired, the expiration
time used for TGT is a good measure to know for how long you should
keep the old key in (could be anythign from hours to days).
Simo.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc