On Thu, 19 Jul 2012, John Dennis wrote:
Rob may have already contacted you with this, but if not we would
like to get more debugging information by have the server log what is
occurring when it processes your requests.
To do this you'll need to turn on the debug flag in the IPA
configuration file /etc/ipa/default.conf, add a line that says:
debug = True
Then restart the server to pick up the new configuration. The
information will be written to /var/log/httpd/error_log.
We only need the contents of the log from when the server was
restarted with debug logging enabled. For privacy reasons I suggest
you send the contents of the log to one of the IPA team members
directly in a private email, not to the public freeipa list.
In addition we would like to see what's happening with krb5
communication under httpd processes.
In order to obtain that tracing information you need to do following:
1. Add KRB5_TRACE=/tmp/http_krb5_trace.log to /etc/sysconfig/httpd
2. Restart httpd (or httpd.service in Fedora)
3. Now you need to create the file and chown it to apache's user so that
httpd processes would be able to write to it:
find out PID of any of httpd processes, doesn't matter which one
chown apache /proc/$PID/cwd/tmp/http_krb5_trace.log
4. Now you can issue IPA commands and you'll get krb5 client tracing in
The reason why (3) talks about PID of httpd process is because in
Fedora, unlike in RHEL6.x, systemd is handling services startup and
systemd confines httpd to a private /tmp. Using /proc/$PID/cwd/tmp is
the easiest way to reach that private tmp.
5. Once finished and copied /proc/$PID/cwd/tmp/http_krb5_trace.log to an
archive location, make sure to remove the file and its reference from
/etc/sysconfig/httpd and restart the service.
/ Alexander Bokovoy
Freeipa-users mailing list