[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt
Dmitri Pal
dpal at redhat.com
Wed May 8 00:33:41 UTC 2013
On 05/07/2013 07:08 PM, Derek Moore wrote:
> I'm running FreeIPA 3.2.0 Beta 1 in Fedora 19 Alpha, and I'm running
> oVirt 3.3.0 pre-Beta in Fedora 18.
>
> In order to get oVirt's JGSS crap to work with FreeIPA, I had to
> change nsslapd-minssf to 1 (apparently a known issue right now in
> OpenJDK). But this setting seems to break ipa CLI, and when I change
> back to "nsslapd-minssf: 0" it stays broken, and FreeIPA's XML-RPC
> service returns a 500 error.
>
> Apache error_log says:
> [Tue May 07 17:06:04.698467 2013] [auth_kerb:error] [pid 705] [client
> 172.19.10.145:60593 <http://172.19.10.145:60593>] Could not get
> default Kerberos ccache: No credentials cache found (-1765328189),
> referer: https://ds1.hackunix.org/ipa/xml
> [Tue May 07 17:06:04.703070 2013] [auth_kerb:error] [pid 705] [client
> 172.19.10.145:60593 <http://172.19.10.145:60593>] gss_acquire_cred()
> failed: Unspecified GSS failure. Minor code may provide more
> information (, Can't find client principal
> HTTP/ds1.hackunix.org at HACKUNIX.ORG
> <mailto:ds1.hackunix.org at HACKUNIX.ORG> in cache collection), referer:
> https://ds1.hackunix.org/ipa/xml
> [Tue May 07 17:19:55.358418 2013] [auth_kerb:error] [pid 701] [client
> 172.19.10.145:60609 <http://172.19.10.145:60609>] Could not get
> default Kerberos ccache: No credentials cache found (-1765328189),
> referer: https://ds1.hackunix.org/ipa/xml
> [Tue May 07 17:19:55.362419 2013] [auth_kerb:error] [pid 701] [client
> 172.19.10.145:60609 <http://172.19.10.145:60609>] gss_acquire_cred()
> failed: Unspecified GSS failure. Minor code may provide more
> information (, Can't find client principal
> HTTP/ds1.hackunix.org at HACKUNIX.ORG
> <mailto:ds1.hackunix.org at HACKUNIX.ORG> in cache collection), referer:
> https://ds1.hackunix.org/ipa/xml
>
>
> Since I got FreeIPA up and running, I've only been messing with the
> nsslapd-minssf value to get oVirt's Java code working against it.
>
> Not sure why FreeAPI is permabroke when it is basically stock, and I'm
> just flipping one minssf bit.
Did you restart all IPA services including KDC after you changed the minssf?
>
> Thanks!
>
> Derek
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130507/b657f4f3/attachment.htm>
More information about the Freeipa-devel
mailing list