<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> On 05/07/2013 07:08 PM, Derek Moore wrote: <blockquote cite="mid:CAMsgyKaRNt=wJ6JhstqGjMY9nJJdEU58WWcpsB53QWmjm7b=qw@mail.gmail.com" type="cite"> <div dir="ltr"> <div>I'm running FreeIPA 3.2.0 Beta 1 in Fedora 19 Alpha, and I'm running oVirt 3.3.0 pre-Beta in Fedora 18.<br> <br> In order to get oVirt's JGSS crap to work with FreeIPA, I had to change nsslapd-minssf to 1 (apparently a known issue right now in OpenJDK). But this setting seems to break ipa CLI, and when I change back to "nsslapd-minssf: 0" it stays broken, and FreeIPA's XML-RPC service returns a 500 error.<br> <br> </div> <div>Apache error_log says:<br> [Tue May 07 17:06:04.698467 2013] [auth_kerb:error] [pid 705] [client <a moz-do-not-send="true" href="http://172.19.10.145:60593">172.19.10.145:60593</a>] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: <a moz-do-not-send="true" href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br> [Tue May 07 17:06:04.703070 2013] [auth_kerb:error] [pid 705] [client <a moz-do-not-send="true" href="http://172.19.10.145:60593">172.19.10.145:60593</a>] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/<a moz-do-not-send="true" href="mailto:ds1.hackunix.org@HACKUNIX.ORG">ds1.hackunix.org@HACKUNIX.ORG</a> in cache collection), referer: <a moz-do-not-send="true" href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br> [Tue May 07 17:19:55.358418 2013] [auth_kerb:error] [pid 701] [client <a moz-do-not-send="true" href="http://172.19.10.145:60609">172.19.10.145:60609</a>] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: <a moz-do-not-send="true" href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br> [Tue May 07 17:19:55.362419 2013] [auth_kerb:error] [pid 701] [client <a moz-do-not-send="true" href="http://172.19.10.145:60609">172.19.10.145:60609</a>] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/<a moz-do-not-send="true" href="mailto:ds1.hackunix.org@HACKUNIX.ORG">ds1.hackunix.org@HACKUNIX.ORG</a> in cache collection), referer: <a moz-do-not-send="true" href="https://ds1.hackunix.org/ipa/xml">https://ds1.hackunix.org/ipa/xml</a><br> </div> <div><br> <br> </div> <div>Since I got FreeIPA up and running, I've only been messing with the nsslapd-minssf value to get oVirt's Java code working against it.<br> <br> </div> <div>Not sure why FreeAPI is permabroke when it is basically stock, and I'm just flipping one minssf bit.<br> </div> </div> </blockquote> <br> Did you restart all IPA services including KDC after you changed the minssf?<br> <br> <blockquote cite="mid:CAMsgyKaRNt=wJ6JhstqGjMY9nJJdEU58WWcpsB53QWmjm7b=qw@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <br> Thanks!<br> <br> Derek<br> </div> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ Freeipa-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre> </blockquote> <br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>