[Freeipa-users] Unable to connect to IPA server: File Not Found

Mon Mar 8 15:46:59 UTC 2010

Dmitri Pal wrote:
> Don,
> 
> Sorry, I accidentally deleted your post.
> I am resending it.
> 
> ===============================
> 
> 
> Greetings all:
> Turned out to be webservice getting reconfigured out from under me.  We
> didn't know that the management interface website was necessary for the
> command-line management tools.
> This raises a couple more questions:
> 1) Is the free-ipa website needed only for management (i.e.: changes) to
> the IPA (e.g.: user additions, password changes, service deletions,
> etc.), or is it required for the fundamental workings of authentication
> -- we think this unlikely as this should be handled by kerberos/ldap,
> etc., and we were able to auth while the website was down.

Apache provides a vehicle for getting to the TurboGears UI (via 
mod_proxy) and for the XML-RPC API used by the command-line. It isn't 
used for authentication/authorization.

> 2) What is the simplest way to configure the free-ipa website for
> command-line only usage -- is there a stand-alone daemon we can run for
> the free-ipa command-line utilities to work so we need not worry about
> free-ipa in our apache configs?

It only runs from within Apache right now and there are no plans to do 
otherwise. We have all of the IPA configuration centralized in two 
files: ipa.conf and ipa-rewrite.conf, if that helps.

> 3) It is worthy of mention that we do have redundant configuration
> between two servers, and will need them to be able to propogate changes
> across -- is the free-ipa website in any way related to this, or is this
> entirely handled by internal kerberos/ldap faculties?

Data (users, groups, etc) replication is handled by 389-ds.

Per-service configuration is generally done on a per-box basis. We don't 
have integration with a configuration management system like puppet to 
keep configuration files in sync, if that is what you are asking.

rob

> 
> Regards,
> -Don
> {void}
> 
>> Greetings all: 
>> I'm thinking I just have to bounce something (or maybe it's been long
>> enough that I'm running the command wrong, but I don't think so). 
>> Note that I show the error when not authenticated, and that I can
>> authenticate without error: 
>> [root at sandbox1 ~]# ipa-finduser admin
>> Could not initialize GSSAPI: Unspecified GSS failure.  Minor code may
>> provide more information/Ticket expired
>> [root at sandbox1 ~]# kinit admin -k -t krb5.keytab
>> [root at sandbox1 ~]# ipa-finduser admin
>> Unable to connect to IPA server: File Not Found 
>>
>> I assume that the "File Not Found" is simply a poor error message. 
>> Any insight into what I need to do to fix this? 
>> I tried bouncing [ns-]ldap/dirsrv just in case that was the source of
>> our problem. 
>> NOTE:  We also use coda, and it has no difficulty authenticating to
>> [IPA] kerberos (though we are having an odd UID issue with non-admin
>> users which prompted the attempt to run some ipa-finduser queries). 
>>
>> Your assistance in this matter is greatly appreciated. 
>>
>> Regards,
>> -Don
>> {void} 
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 