[Freeipa-devel] FreeIPA quit working - or, IPA & oVirt

Derek Moore derek.p.moore at gmail.com
Wed May 8 22:39:25 UTC 2013

F your I: The kpasswd issue was only temporary... A while later it was
working just time. Setting passwords in the webUI wasn't enough for oVirt,
I needed to set passwords with kpasswd. By the time I figured that out,
kpasswd was working with no changes (kdestroy/kinit were done when it
wasn't working).

Thanks again for the help, both of you!

On Wed, May 8, 2013 at 4:24 PM, Derek Moore <derek.p.moore at gmail.com> wrote:

> Hey, that did it! You're the man!
> I didn't have to downgrade openldap, just changed /etc/openldap/ldap.conf
> to "SASL_NOCANON off". This allowed the install script to complete, and the
> install script overwrite ldap.conf anyway removing SASL_NOCANON altogether,
> so things still work.
> I rolled my own krb5/ldap/nss integration back in the early 2000s, so I
> feel you on all the the upstream lib dependencies. (I used phpLDAPadmin to
> administer my Directory, and I integrated sendmailMTA object which are very
> nice [after fixing one or two braindead things about their schema {an
> inetOrgPerson could not be a sendmailMTA receiver, i wanted merged objects,
> no separate objects}].)
> After following your advice, I can no longer use kpasswd to set user
> passwords, but I can reset passwords in the web frontend, so that's fine
> for now.
> FreeIPA seems very nice so far, I hope to be able to make meaningful
> contributions as I become more familiar with this complex integration
> product.
> Thanks!
> Derek
> On Wed, May 8, 2013 at 2:15 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>> Derek Moore wrote:
>>> Setting /etc/hostname manually and several restarts and reboots later, I
>>> finally got the install to work (mostly) properly again last night.
>>> But I still cannot get the XML-RPC server to function properly, the end
>>> of the install script fails on /usr/sbin/ipa-client-install:
>>>    ipalib.errors.NetworkError: cannot connect to
>>> 'https://ds1.hackunix.org/ipa/**xml <https://ds1.hackunix.org/ipa/xml>':
>>> Internal Server Error
>>> I can't get passed the "No credentials cache found" error in Apache. The
>>> credentials cache it's looking for is httpd's keytab?
>> We're fighting some issues with changes in support libraries.
>> If you have openldap-2.4.35-3, the default value of SASL_NOCANON changed
>> to on (at our request ironically) which breaks ldapi requests, which we
>> also use. For 3.1.x and 3.2pre1 or beta1 I believe the only solution is to
>> downgrade openldap. We are working with upstream and have provided a patch
>> to the Fedora maintainer to mitigate this but it is yet unresolved.
>> If you have krb5 1.11.2-4 then you need to add KRB5CCNAME=/tmp/krb5cc_48
>> to the end of /etc/sysconfig/httpd. The ccache format was changed to DIR
>> and mod_auth_kerb doesn't support this yet. This fix should work with any
>> version of IPA.
>> rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130508/92ace83e/attachment.htm>

More information about the Freeipa-devel mailing list