On Thu, 19 Jul 2012, John Dennis wrote:
Rob may have already contacted you with this, but if not we would like to get more debugging information by have the server log what is occurring when it processes your requests.

To do this you'll need to turn on the debug flag in the IPA configuration file /etc/ipa/default.conf, add a line that says:

debug = True

Then restart the server to pick up the new configuration. The information will be written to /var/log/httpd/error_log.

We only need the contents of the log from when the server was restarted with debug logging enabled. For privacy reasons I suggest you send the contents of the log to one of the IPA team members directly in a private email, not to the public freeipa list.
In addition we would like to see what's happening with krb5
communication under httpd processes.

In order to obtain that tracing information you need to do following:

1. Add KRB5_TRACE=/tmp/http_krb5_trace.log to /etc/sysconfig/httpd

2. Restart httpd (or httpd.service in Fedora)

3. Now you need to create the file and chown it to apache's user so that
   httpd processes would be able to write to it:

     find out PID of any of httpd processes, doesn't matter which one
     touch /proc/$PID/cwd/tmp/http_krb5_trace.log
     chown apache /proc/$PID/cwd/tmp/http_krb5_trace.log

4. Now you can issue IPA commands and you'll get krb5 client tracing in

The reason why (3) talks about PID of httpd process is because in
Fedora, unlike in RHEL6.x, systemd is handling services startup and
systemd confines httpd to a private /tmp. Using /proc/$PID/cwd/tmp is
the easiest way to reach that private tmp.

5. Once finished and copied /proc/$PID/cwd/tmp/http_krb5_trace.log to an
archive location, make sure to remove the file and its reference from
/etc/sysconfig/httpd and restart the service.

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to