<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 12/19/2014 08:54 AM, Serafini, Adam
      wrote:<br>
    </div>
    <blockquote
cite="mid:2116090DBC1208469C5CA7CD3509B8EA15E43CB4@AMCMEXDB01.chellomedia.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      Hi,<br>
      <br>
      I am trying to write some software that communicates with the
      FreeIPA server from a remote client.<br>
      <br>
      Using Adam Young's helpful blog (<br>
      <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/">http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/</a>),
      I am successfully able to run this curl on the FreeIPA server
      itself:<br>
      <br>
      curl -v -H referer:<a moz-do-not-send="true"
        class="moz-txt-link-freetext" href="https://myserver.net/ipa">https://myserver.net/ipa</a>
      -H "Content-Type:application/json" -H "Accept:application/json"
      --negotiate -u : --cacert /etc/ipa/ca.crt -d
      '{"method":"user_find","params":[[""],{}],"id":0}' -X POST <a
        moz-do-not-send="true" class="moz-txt-link-freetext"
        href="https://myserver.net/ipa/json">https://myserver.net/ipa/json</a><br>
      <br>
      But when I try and run an similar curl from my client workstation
      (with pre-requisite Kerberos setup):<br>
      <br>
      curl -v -H referer:<a moz-do-not-send="true"
        class="moz-txt-link-freetext"
        href="https://myworkstation.net/ipa">https://myworkstation.net/ipa</a>
      -H "Content-Type:application/json" -H "Accept:application/json"
      --negotiate -u : --cacert /tmp/ca.crt -d
      '{"method":"user_find","params":[[""],{}],"id":0}' -X POST <a
        moz-do-not-send="true" class="moz-txt-link-freetext"
        href="https://myserver.net/ipa/json">https://myserver.net/ipa/json</a><br>
      <br>
      The following error is generated in the Apache logs:<br>
      <br>
      KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP
      request environment<br>
      <br>
      Would anyone have any pointers to fix, or a place to start
      investigating? I am assuming there is configuration problem but I
      have no idea where to begin. I believe I've done all the Kerberos
      setup correctly, but it's hard to tell.<br>
    </blockquote>
    <br>
    It seems that curl can't find kerberos ticket cache.<br>
    KRB5CCNAME is an environment variable that points to the location of
    the ticket cache.<br>
    Try defining it for curl and see what happens. I suppose knit works
    fine from the client you try it on.<br>
    <br>
    <blockquote
cite="mid:2116090DBC1208469C5CA7CD3509B8EA15E43CB4@AMCMEXDB01.chellomedia.com"
      type="cite">
      <br>
      Kind regards,<br>
      Adam<br>
      <br>
      <br>
      <br>
      <br>
      This message (including any attachments) may contain information
      that is privileged or confidential. If you are not the intended
      recipient, please notify the sender and delete this email
      immediately from your systems and destroy all copies of it. You
      may not, directly or indirectly, use, disclose, distribute, print
      or copy this email or any part of it if you are not the intended
      recipient
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>