[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt

Rob Crittenden rcritten at redhat.com
Wed May 8 19:15:50 UTC 2013

Derek Moore wrote:
> Setting /etc/hostname manually and several restarts and reboots later, I
> finally got the install to work (mostly) properly again last night.
> But I still cannot get the XML-RPC server to function properly, the end
> of the install script fails on /usr/sbin/ipa-client-install:
>    ipalib.errors.NetworkError: cannot connect to
> 'https://ds1.hackunix.org/ipa/xml': Internal Server Error
> I can't get passed the "No credentials cache found" error in Apache. The
> credentials cache it's looking for is httpd's keytab?

We're fighting some issues with changes in support libraries.

If you have openldap-2.4.35-3, the default value of SASL_NOCANON changed 
to on (at our request ironically) which breaks ldapi requests, which we 
also use. For 3.1.x and 3.2pre1 or beta1 I believe the only solution is 
to downgrade openldap. We are working with upstream and have provided a 
patch to the Fedora maintainer to mitigate this but it is yet unresolved.

If you have krb5 1.11.2-4 then you need to add KRB5CCNAME=/tmp/krb5cc_48 
to the end of /etc/sysconfig/httpd. The ccache format was changed to DIR 
and mod_auth_kerb doesn't support this yet. This fix should work with 
any version of IPA.


More information about the Freeipa-devel mailing list