[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt
Rob Crittenden
rcritten at redhat.com
Wed May 8 19:15:50 UTC 2013
Derek Moore wrote:
> Setting /etc/hostname manually and several restarts and reboots later, I
> finally got the install to work (mostly) properly again last night.
>
> But I still cannot get the XML-RPC server to function properly, the end
> of the install script fails on /usr/sbin/ipa-client-install:
>
> ipalib.errors.NetworkError: cannot connect to
> 'https://ds1.hackunix.org/ipa/xml': Internal Server Error
>
> I can't get passed the "No credentials cache found" error in Apache. The
> credentials cache it's looking for is httpd's keytab?
>
We're fighting some issues with changes in support libraries.
If you have openldap-2.4.35-3, the default value of SASL_NOCANON changed
to on (at our request ironically) which breaks ldapi requests, which we
also use. For 3.1.x and 3.2pre1 or beta1 I believe the only solution is
to downgrade openldap. We are working with upstream and have provided a
patch to the Fedora maintainer to mitigate this but it is yet unresolved.
If you have krb5 1.11.2-4 then you need to add KRB5CCNAME=/tmp/krb5cc_48
to the end of /etc/sysconfig/httpd. The ccache format was changed to DIR
and mod_auth_kerb doesn't support this yet. This fix should work with
any version of IPA.
rob
More information about the Freeipa-devel
mailing list