<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/07/2013 07:08 PM, Derek Moore wrote:
<blockquote
cite="mid:CAMsgyKaRNt=wJ6JhstqGjMY9nJJdEU58WWcpsB53QWmjm7b=qw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>I'm running FreeIPA 3.2.0 Beta 1 in Fedora 19 Alpha, and
I'm running oVirt 3.3.0 pre-Beta in Fedora 18.<br>
<br>
In order to get oVirt's JGSS crap to work with FreeIPA, I had
to change nsslapd-minssf to 1 (apparently a known issue right
now in OpenJDK). But this setting seems to break ipa CLI, and
when I change back to "nsslapd-minssf: 0" it stays broken, and
FreeIPA's XML-RPC service returns a 500 error.<br>
<br>
</div>
<div>Apache error_log says:<br>
[Tue May 07 17:06:04.698467 2013] [auth_kerb:error] [pid 705]
[client <a moz-do-not-send="true"
href="http://172.19.10.145:60593">172.19.10.145:60593</a>]
Could not get default Kerberos ccache: No credentials cache
found (-1765328189), referer: <a moz-do-not-send="true"
href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br>
[Tue May 07 17:06:04.703070 2013] [auth_kerb:error] [pid 705]
[client <a moz-do-not-send="true"
href="http://172.19.10.145:60593">172.19.10.145:60593</a>]
gss_acquire_cred() failed: Unspecified GSS failure. Minor
code may provide more information (, Can't find client
principal HTTP/<a moz-do-not-send="true"
href="mailto:ds1.hackunix.org@HACKUNIX.ORG">ds1.hackunix.org@HACKUNIX.ORG</a>
in cache collection), referer: <a moz-do-not-send="true"
href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br>
[Tue May 07 17:19:55.358418 2013] [auth_kerb:error] [pid 701]
[client <a moz-do-not-send="true"
href="http://172.19.10.145:60609">172.19.10.145:60609</a>]
Could not get default Kerberos ccache: No credentials cache
found (-1765328189), referer: <a moz-do-not-send="true"
href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br>
[Tue May 07 17:19:55.362419 2013] [auth_kerb:error] [pid 701]
[client <a moz-do-not-send="true"
href="http://172.19.10.145:60609">172.19.10.145:60609</a>]
gss_acquire_cred() failed: Unspecified GSS failure. Minor
code may provide more information (, Can't find client
principal HTTP/<a moz-do-not-send="true"
href="mailto:ds1.hackunix.org@HACKUNIX.ORG">ds1.hackunix.org@HACKUNIX.ORG</a>
in cache collection), referer: <a moz-do-not-send="true"
href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br>
</div>
<div><br>
<br>
</div>
<div>Since I got FreeIPA up and running, I've only been messing
with the nsslapd-minssf value to get oVirt's Java code working
against it.<br>
<br>
</div>
<div>Not sure why FreeAPI is permabroke when it is basically
stock, and I'm just flipping one minssf bit.<br>
</div>
</div>
</blockquote>
<br>
Did you restart all IPA services including KDC after you changed the
minssf?<br>
<br>
<blockquote
cite="mid:CAMsgyKaRNt=wJ6JhstqGjMY9nJJdEU58WWcpsB53QWmjm7b=qw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<br>
Thanks!<br>
<br>
Derek<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>