On 12/04/2017 03:57 PM, skrawczenko--- via FreeIPA-users wrote:
Hello all, i suppose the issue is quite typical but still unable to find any 
solution.

All i need is to run some ipa cli commands from scripts with preliminary kinit
I manage to authenticate as

kinit -F -k -t <keytab> <principal>

That allows me to use ldap for example, i can do ldapsearch -Y GSSAPI etc
However, when trying to run cli commands, i'm getting the following

sh-4.2# ipa user-find aaa
ipa: ERROR: cannot connect to 'any of the configured servers': 
https://<idm0>/ipa/json, https://<idm1>/ipa/json

This is caused by wsgi module, as it said in httpd error log

[Mon Dec 04 06:45:45.027199 2017] [:error] [pid 1745] ipa: ERROR: 500 Internal 
Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP 
request environment
[Mon Dec 04 06:45:45.027769 2017] [:error] [pid 1745] [remote ...:60] mod_wsgi 
(pid=1745): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.

At the same time when i do kinit <same principal> with manual password input, 
everything works as intended.
IPA has been upgraded to latest 4.5.0, wsgi module after yum update is

Name        : mod_wsgi
Arch        : x86_64
Version     : 3.4
Release     : 12.el7_0
Size        : 197 k

I never configured anything manually, so barely broke anything.
Please any ideas
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Hi,

I believe that the difference is linked to the -F option: you are asking for a non-forwardable ticket when using the keytab. Can you retry without -F and see if it fixes your issue?

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to