hello Since the keytab file is invalid, I manually generated a new IPA. keytab file, but now it seems that encryption-types does not match. What should I do with this?thank you #ipa user-find devop ipa: DEBUG: importing all plugin modules in ipalib.plugins... ipa: DEBUG: importing plugin module ipalib.plugins.aci ipa: DEBUG: importing plugin module ipalib.plugins.automember ipa: DEBUG: importing plugin module ipalib.plugins.automount ipa: DEBUG: importing plugin module ipalib.plugins.baseldap ipa: DEBUG: importing plugin module ipalib.plugins.baseuser ipa: DEBUG: importing plugin module ipalib.plugins.batch ipa: DEBUG: importing plugin module ipalib.plugins.caacl ipa: DEBUG: importing plugin module ipalib.plugins.cert ipa: DEBUG: importing plugin module ipalib.plugins.certprofile ipa: DEBUG: importing plugin module ipalib.plugins.config ipa: DEBUG: importing plugin module ipalib.plugins.delegation ipa: DEBUG: importing plugin module ipalib.plugins.dns ipa: DEBUG: importing plugin module ipalib.plugins.domainlevel ipa: DEBUG: importing plugin module ipalib.plugins.group ipa: DEBUG: importing plugin module ipalib.plugins.hbacrule ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvc ipa: DEBUG: importing plugin module ipalib.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipalib.plugins.hbactest ipa: DEBUG: importing plugin module ipalib.plugins.host ipa: DEBUG: importing plugin module ipalib.plugins.hostgroup ipa: DEBUG: importing plugin module ipalib.plugins.idrange ipa: DEBUG: importing plugin module ipalib.plugins.idviews ipa: DEBUG: importing plugin module ipalib.plugins.internal ipa: DEBUG: importing plugin module ipalib.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipalib.plugins.migration ipa: DEBUG: importing plugin module ipalib.plugins.misc ipa: DEBUG: importing plugin module ipalib.plugins.netgroup ipa: DEBUG: importing plugin module ipalib.plugins.otpconfig ipa: DEBUG: importing plugin module ipalib.plugins.otptoken ipa: DEBUG: importing plugin module ipalib.plugins.otptoken_yubikey ipa: DEBUG: importing plugin module ipalib.plugins.passwd ipa: DEBUG: importing plugin module ipalib.plugins.permission ipa: DEBUG: importing plugin module ipalib.plugins.ping ipa: DEBUG: importing plugin module ipalib.plugins.pkinit ipa: DEBUG: importing plugin module ipalib.plugins.privilege ipa: DEBUG: importing plugin module ipalib.plugins.pwpolicy ipa: DEBUG: Starting external process ipa: DEBUG: args=klist -V ipa: DEBUG: Process finished, return code=0 ipa: DEBUG: stdout=Kerberos 5 version 1.13.2 ipa: DEBUG: stderr= ipa: DEBUG: importing plugin module ipalib.plugins.radiusproxy ipa: DEBUG: importing plugin module ipalib.plugins.realmdomains ipa: DEBUG: importing plugin module ipalib.plugins.role ipa: DEBUG: importing plugin module ipalib.plugins.rpcclient ipa: DEBUG: importing plugin module ipalib.plugins.selfservice ipa: DEBUG: importing plugin module ipalib.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipalib.plugins.server ipa: DEBUG: importing plugin module ipalib.plugins.service ipa: DEBUG: importing plugin module ipalib.plugins.servicedelegation ipa: DEBUG: importing plugin module ipalib.plugins.session ipa: DEBUG: importing plugin module ipalib.plugins.stageuser ipa: DEBUG: importing plugin module ipalib.plugins.sudocmd ipa: DEBUG: importing plugin module ipalib.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipalib.plugins.sudorule ipa: DEBUG: importing plugin module ipalib.plugins.topology ipa: DEBUG: importing plugin module ipalib.plugins.trust ipa: DEBUG: importing plugin module ipalib.plugins.user ipa: DEBUG: importing plugin module ipalib.plugins.vault ipa: DEBUG: importing plugin module ipalib.plugins.virtual ipa: DEBUG: failed to find session_cookie in persistent storage for principal &#39;admin(a)YYDEVOPS.COM&#39; ipa: INFO: trying https://xx/ipa/json ipa: DEBUG: Created connection context.rpcclient_140659301866000 ipa: DEBUG: raw: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False) ipa: DEBUG: user_find(u'devop', whoami=False, all=False, raw=False, version=u'2.164', no_members=False, pkey_only=False) ipa: INFO: Forwarding 'user_find' to json server 'https://xx/ipa/json' ipa: DEBUG: NSSConnection init xx ipa: DEBUG: Connecting: 10.21.117.149:0 ipa: DEBUG: approved_usage = SSL Server intended_usage = SSL Server ipa: DEBUG: cert valid True for "CN=xx,O=YYDEVOPS.COM" ipa: DEBUG: handshake complete, peer = 10.21.117.149:443 ipa: DEBUG: Protocol: TLS1.2 ipa: DEBUG: Cipher: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ipa: DEBUG: Destroyed connection context.rpcclient_140659301866000 ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>) # klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin(a)YYDEVOPS.COM Valid starting Expires Service principal 08/29/2022 20:40:14 08/30/2022 20:40:07 krbtgt/YYDEVOPS.COM(a)YYDEVOPS.COM Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 08/29/2022 20:40:31 08/30/2022 20:40:07 HTTP/xx(a)YYDEVOPS.COM Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1 # klist -kte /etc/apache2/ipa.keytab Keytab name: FILE:/etc/apache2/ipa.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 4 08/29/2022 19:30:22 HTTP/xx (arcfour-hmac) 5 08/29/2022 19:30:42 HTTP/xx (camellia128-cts-cmac) 6 08/29/2022 19:30:46 HTTP/xx (camellia256-cts-cmac) 7 08/29/2022 19:33:02 HTTP/xx (camellia128-cts-cmac) 8 08/29/2022 19:33:41 HTTP/xx (aes128-cts-hmac-sha1-96) 9 08/29/2022 19:33:47 HTTP/xx (aes256-cts-hmac-sha1-96) 10 08/29/2022 19:35:05 HTTP/xx (des3-cbc-sha1)

> liang fei via FreeIPA-users wrote: > > Need a lot more information. > > What version of IPA on client and server, and what distribution? > > What is the context? Is this a new problem? Did it ever work? It appears > you're running this on a server, please confirm. > > We need the apache error log (snippet) and relation lines from the KDC log. > > Per your subsequent message, this probably has nothing to do with > certificates but the output is illuminating. > > a-error: Error setting up ccache for "host" service on client using > default keytab: No such file or directory. > > You are apparently missing /etc/krb5.keytab > > Goes back to the history question. What has been going on with this > installation? > > rob freeipa4.3 All operations are performed on the CA machine,

Yes, for some reason, /etc/krb5.keytab does not exist and /etc/apache2.ipa.keytab kinit was unsuccessful, so I did the following.

ipa-getkeytab -p host/host.xx.com -k /etc/krb5.keytab ipa-getkeytab -p HTTP/host.xx.com -e aes256-cts -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e aes128-cts -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e des3-hmac-sha1 -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e arcfour-hmac -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e camellia128-cts -k /tmp/spnego.service.keytab ipa-getkeytab -p HTTP/host.xx.com -e camellia256-cts -k /tmp/spnego.service.keytab cp /tmp/spnego.service.keytab /etc/security/ketabs cp /tmp/spnego.service.keytab /etc/apache2/ipa.keytab This exception should be an error related to the /etc/apache2/ipa.keytab file, because I have a native /etc/krb5.keytab file on another test machine.Only perform the ipa - getkeytab - p - e aes256 HTTP/host.xx.com - CTS - k/TMP/spnego. Service. Keytabr operation, so this exception, ipa user-find admin ... ipa: ERROR: error marshalling data for XML-RPC transport: message: need a <type 'unicode'>; got 'No valid Negotiate header in server response' (a <type 'str'>) tailf /var/logs/apach2/error [Tue Aug 30 11:32:32.237368 2022] [auth_gssapi:error] [pid 57977:tid 140374488082176] [client 10.12.65.188:64398] gss_accept_sec_context() failed: [No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)], referer: https://ipa-test-xx.com/ipa/xml