[Freeipa-users] http service keytab for cname virtual host
Simo Sorce
simo at redhat.com
Thu Mar 29 19:09:01 UTC 2012
On Thu, 2012-03-29 at 20:43 +0200, Natxo Asenjo wrote:
>
> On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce <simo at redhat.com> wrote:
> Your configuration looks right, but I went back and looked at
> your logs
> and I saw a permission denied error.
>
> I would check that the apache user can access the keytab
> file: /etc/httpd/conf/webserver01_http.keytab
> If you are using RHEL/Fedora, also check the audit.log file in
> case the
> file is mislabeled and SELinux is preventing access to it.
>
> Bingo! selinux was indeed blocking it.
>
> :-)
>
> A few years ago I would have inmediately looked at selinux (or even
> disabled it right away during the installation), but since fedora 12
> you guys have actually made it just work (TM), so I never thought of
> that.
>
> This is really awesome, I am thoroughly enjoying ipa.
>
Yes SeLinux works well, use audit2allow to make a custom policy or apply
the right label and don't disable SELinux please :-)
If you have problems we can help, documenting on this list how to
properly configure SELinux with IPA related deployments is considered on
topic and will make up useful documentation for others.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list