[Freeipa-users] Server error with multiple clients joining domain simultaneously

Rob Crittenden rcritten at redhat.com
Fri Jan 29 16:04:00 UTC 2016 

David Zabner wrote:
> Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? It seems like this is the only place where the library is referenced one way or the other…
> 

You need to set this globally:

KrbConstrainedDelegationLock ipa

And I assume you replaced $realm with your actual realm, right?

It would also be useful to know how it doesn't work.

rob

> Thanks for all your help.
> 
>> On Jan 29, 2016, at 6:35 AM, Petr Spacek <pspacek at redhat.com> wrote:
>>
>> Interesting, we have to investigate it!
>>
>> Here is a ticket:
>> https://fedorahosted.org/freeipa/ticket/5653
>>
>> You can Cc yourself to it and watch the progress.
>>
>> Petr^2 Spacek
>>
>> On 28.1.2016 20:17, David Zabner wrote:
>>> I was guessing that it was a problem with mod_auth_gssapi and so I tried switching the auth method back to mod_auth_kerb which did not work. (although it is entirely possible that I did not switch it correctly)
>>>
>>> I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to:
>>> <Location "/ipa">
>>>  AuthType Kerberos
>>>  AuthName "Kerberos Login"
>>>  KrbMethodNegotiate on
>>>  KrbMethodK5Passwd off
>>>  KrbServiceName HTTP
>>>  KrbAuthRealms $realm
>>>  Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>>  KrbSaveCredentials on
>>>  KrbConstrainedDelegation on
>>>  Require valid-user
>>>  ErrorDocument 401 /ipa/errors/unauthorized.html
>>> </Location>
>>> It just seemed to cause other problems...
>>>
>>> On Jan 28, 2016, at 1:44 PM, Izzo, Anthony <aizzo01 at harris.com<mailto:aizzo01 at harris.com>> wrote:
>>>
>>> I should add that some of my team members have tried serializing their instance launches, and this problem does not seem to occur under those circumstances.  (That’s not a solution, just a data point for those interested in this behavior).  Thanks.
>>>
>>>
>>> From: Izzo, Anthony (U.S. Person)
>>> Sent: Thursday, January 28, 2016 1:35 PM
>>> To: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
>>> Cc: 'David Zabner' <david at cazena.com<mailto:david at cazena.com>>
>>> Subject: RE: [Freeipa-users] Server error with multiple clients joining domain simultaneously
>>>
>>> Yes, that’s it!
>>>
>>> From: David Zabner [mailto:david at cazena.com]
>>> Sent: Thursday, January 28, 2016 1:31 PM
>>> To: Izzo, Anthony (U.S. Person) <aizzo01 at harris.com<mailto:aizzo01 at harris.com>>
>>> Cc: freeipa-users at redhat.com<mailto:freeipa-users at redhat.com>
>>> Subject: Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously
>>>
>>> This sounds exactly like the problem I am having. I will attach my error log. Is this what yours looks like?
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>>
>>>
>>
>>
>> -- 
>> Petr^2 Spacek
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
> 
>

More information about the Freeipa-users mailing list