Steve,

What version of IPA are you running? Is SELinux in permissive mode?
What are the permissions on: /var/lib/ipa-client/pki/kdc-ca-bundle.pem and
/var/kerberos/krb5kdc/kdc.crt ?
could you share your /etc/sssd/sssd.conf ?

On Tue, Sep 5, 2017 at 2:42 PM, Steve Huston via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Running a clone of RHEL (Springdale Linux), and recently upgraded to
> 7.4 and all its ensuing surprises.  Todays is strange because it
> affects one of three servers.
>
> If a user tries to login to the web UI on 2/3 of the servers, they get
> the same error listed in this ticket:
>
>   https://pagure.io/freeipa/issue/6739
>
> One of the three servers works fine, and getting a Kerberos ticket
> first also works (assuming the browser is configured properly, etc).
>
> I noticed an error in the messages file on one of the failing machines:
>
>   Sep  5 13:22:59 ipa ipa-httpd-kdcproxy: ipa         : WARNING
> Unable to connect to dirsrv: cannot connect to
> 'ldapi://%2Fvar%2Frun%2Fslapd-ASTRO-PRINCETON-EDU.socket':
>   Sep  5 13:22:59 ipa ipa-httpd-kdcproxy: ipa         : WARNING
> Disabling KDC proxy
>
> So I ran an 'ipactl restart' on that machine, and saw it successfully
> connected later:
>
>   Sep  5 13:33:36 ipa systemd: Stopping The Apache HTTP Server...
>   Sep  5 13:33:37 ipa systemd: Starting The Apache HTTP Server...
>   Sep  5 13:33:38 ipa ipa-httpd-kdcproxy: ipa         : INFO     KDC
> proxy enabled
>   Sep  5 13:33:38 ipa systemd: Started The Apache HTTP Server.
>
> But that did not solve the problem.  I'm happy to provide more
> information, but as this is all new to me I don't know where to begin
> to debug.  Thanks for any pointers you can send my way.
>
> --
> Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
>   Princeton University  |    ICBM Address: 40.346344   -74.652242
>     345 Lewis Library   |"On my ship, the Rocinante, wheeling through
>   Princeton, NJ   08544 | the galaxies; headed for the heart of Cygnus,
>     (267) 793-0852      | headlong into mystery."  -Rush, 'Cygnus X-1'
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to