Nathan Lager wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Sorry for falling off like that.
I opened a RedHat ticket on the issue, and have been running in
circles with them. I forgot to check on the list for responses.
I'm still having problems. Someone suggested I try:
kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu
Which i just did, and it worked, or, at least it initialized my session.
I'm still unable to execute ipa commands. In fact, im unable to
execute almost any ipa commands.
The web interface works, but only after RedHat had me enable kerberos
password auth in the httpd config. So i can now auth to the web gui
interactively, instead of requiring a kinit from my workstion.
The only real client i have here is RHEV. And auth there still works
except on accounts which have expired. Those accounts, cant even
change their passwords.
RedHat had me disable the password expiration via the web gui, however
that hasnt helped accounts that are already expired.
RedHat is currently blaming time skew, which i think is ridiculous.
Im testing my ipa commands right on the ipa master. How could there
possible be time skew. I did find that the time on my replica was
off, but my replica isnt working anyway, which is a whole other issue.
I think it needs to be flattened, and re-joined.
I think we need to start with the basics, so here is a slew of
questions, things to try:
You said you enabled password auth? Did you do this by setting
KrbMethodK5Passwd to on?
You say that some commands work, which ones?
It seems that kinit works? kinit admin
Can you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart the
httpd service, then:
$ kinit admin
$ ipa user-show admin
Provide the logs covering the restart of Apache until the error from
/var/log/httpd/error_log, /var/log/krb5kdc.log and
/var/log/dirsrv/slapd-YOURINSTANCE/access. This last log buffers for 30
seconds so it may be a while before it gets updated.
What are the versions of:
This is RHEL 6.3?
The problem seems isolated to mod_auth_kerb and/or s4u2proxy since it
works with password authentication in the UI.
Freeipa-users mailing list