[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt

[Derek Moore]

I'm running FreeIPA 3.2.0 Beta 1 in Fedora 19 Alpha, and I'm running oVirt
3.3.0 pre-Beta in Fedora 18.

In order to get oVirt's JGSS crap to work with FreeIPA, I had to change
nsslapd-minssf to 1 (apparently a known issue right now in OpenJDK). But
this setting seems to break ipa CLI, and when I change back to
"nsslapd-minssf: 0" it stays broken, and FreeIPA's XML-RPC service returns
a 500 error.

Apache error_log says:
[Tue May 07 17:06:04.698467 2013] [auth_kerb:error] [pid 705] [client
172.19.10.145:60593] Could not get default Kerberos ccache: No credentials
cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml
[Tue May 07 17:06:04.703070 2013] [auth_kerb:error] [pid 705] [client
172.19.10.145:60593] gss_acquire_cred() failed: Unspecified GSS failure.
Minor code may provide more information (, Can't find client principal HTTP/
ds1.hackunix.org at HACKUNIX.ORG in cache collection), referer:
https://ds1.hackunix.org/ipa/xml
[Tue May 07 17:19:55.358418 2013] [auth_kerb:error] [pid 701] [client
172.19.10.145:60609] Could not get default Kerberos ccache: No credentials
cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml
[Tue May 07 17:19:55.362419 2013] [auth_kerb:error] [pid 701] [client
172.19.10.145:60609] gss_acquire_cred() failed: Unspecified GSS failure.
Minor code may provide more information (, Can't find client principal HTTP/
ds1.hackunix.org at HACKUNIX.ORG in cache collection), referer:
https://ds1.hackunix.org/ipa/xml


Since I got FreeIPA up and running, I've only been messing with the
nsslapd-minssf value to get oVirt's Java code working against it.

Not sure why FreeAPI is permabroke when it is basically stock, and I'm just
flipping one minssf bit.

Thanks!

Derek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130507/8cb8c246/attachment.htm>