Realm is replaced with my realm name on the server.

> On Jan 29, 2016, at 11:04 AM, Rob Crittenden <rcritten@redhat.com> wrote:
> 
> David Zabner wrote:
>> Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? It seems like this is the only place where the library is referenced one way or the other…
>> 
> 
> You need to set this globally:
> 
> KrbConstrainedDelegationLock ipa
> 
> And I assume you replaced $realm with your actual realm, right?
> 
> It would also be useful to know how it doesn't work.
> 
> rob
> 
>> Thanks for all your help.
>> 
>>> On Jan 29, 2016, at 6:35 AM, Petr Spacek <pspacek@redhat.com> wrote:
>>> 
>>> Interesting, we have to investigate it!
>>> 
>>> Here is a ticket:
>>> https://fedorahosted.org/freeipa/ticket/5653
>>> 
>>> You can Cc yourself to it and watch the progress.
>>> 
>>> Petr^2 Spacek
>>> 
>>> On 28.1.2016 20:17, David Zabner wrote:
>>>> I was guessing that it was a problem with mod_auth_gssapi and so I tried switching the auth method back to mod_auth_kerb which did not work. (although it is entirely possible that I did not switch it correctly)
>>>> 
>>>> I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to:
>>>> <Location "/ipa">
>>>> AuthType Kerberos
>>>> AuthName "Kerberos Login"
>>>> KrbMethodNegotiate on
>>>> KrbMethodK5Passwd off
>>>> KrbServiceName HTTP
>>>> KrbAuthRealms $realm
>>>> Krb5KeyTab /etc/httpd/conf/ipa.keytab
>>>> KrbSaveCredentials on
>>>> KrbConstrainedDelegation on
>>>> Require valid-user
>>>> ErrorDocument 401 /ipa/errors/unauthorized.html
>>>> </Location>
>>>> It just seemed to cause other problems...
>>>> 
>>>> On Jan 28, 2016, at 1:44 PM, Izzo, Anthony <aizzo01@harris.com<mailto:aizzo01@harris.com>> wrote:
>>>> 
>>>> I should add that some of my team members have tried serializing their instance launches, and this problem does not seem to occur under those circumstances.  (That’s not a solution, just a data point for those interested in this behavior).  Thanks.
>>>> 
>>>> 
>>>> From: Izzo, Anthony (U.S. Person)
>>>> Sent: Thursday, January 28, 2016 1:35 PM
>>>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>>>> Cc: 'David Zabner' <david@cazena.com<mailto:david@cazena.com>>
>>>> Subject: RE: [Freeipa-users] Server error with multiple clients joining domain simultaneously
>>>> 
>>>> Yes, that’s it!
>>>> 
>>>> From: David Zabner [mailto:david@cazena.com]
>>>> Sent: Thursday, January 28, 2016 1:31 PM
>>>> To: Izzo, Anthony (U.S. Person) <aizzo01@harris.com<mailto:aizzo01@harris.com>>
>>>> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com>
>>>> Subject: Re: [Freeipa-users] Server error with multiple clients joining domain simultaneously
>>>> 
>>>> This sounds exactly like the problem I am having. I will attach my error log. Is this what yours looks like?
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> -- 
>>> Petr^2 Spacek
>>> 
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>> 
>> 
>