-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/19/2012 03:47 PM, Rob Crittenden wrote: > Dmitri Pal wrote: >> >> Rob, keytab and kerberos part seems to be fine, ldap works too. >> Can it be one of the certs? May be some cert expired? > > No, the error is coming from GSSAPI, it is unfortunately > completely useless. I think we've pretty well narrowed down the > problem to httpd/mod_auth_kerb but I don't know yet if this is a > configuration issue or a bug. > > Nathan, can you show me your /etc/httpd/conf.d/ipa.conf? Sure, as far as I know its completely stock, aside from the krb password auth change. # # VERSION 4 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off #We use xhtml, a file format that the browser validates DirectoryIndex index.html # ipa-rewrite.conf is loaded separately # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archive jar # FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf: WSGISocketPrefix /var/run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 WSGIProcessGroup ipa WSGIApplicationGroup ipa WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off # Turn off mod_msgi handler for errors, config, crl: <Location "/ipa/errors"> SetHandler None </Location> <Location "/ipa/config"> SetHandler None </Location> <Location "/ipa/crl"> SetHandler None </Location> KrbConstrainedDelegationLock ipa # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP KrbAuthRealms SYSTEMS.LAFAYETTE.EDU Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </Location> # Turn off Apache authentication for sessions <Location "/ipa/session/json"> Satisfy Any Order Deny,Allow Allow from all </Location> <Location "/ipa/session/login_password"> Satisfy Any Order Deny,Allow Allow from all </Location> # This is where we redirect on failed auth Alias /ipa/errors "/usr/share/ipa/html" # For the MIT Windows config files Alias /ipa/config "/usr/share/ipa/html" # Do no authentication on the directory that contains error messages <Directory "/usr/share/ipa/html"> SetHandler None AllowOverride None Satisfy Any Allow from all </Directory> # For CRL publishing Alias /ipa/crl "/var/lib/pki-ca/publish" <Directory "/var/lib/pki-ca/publish"> SetHandler None AllowOverride None Options Indexes FollowSymLinks Satisfy Any Allow from all </Directory> # webUI is now completely static, and served out of that directory Alias /ipa/ui "/usr/share/ipa/ui" <Directory "/usr/share/ipa/ui"> SetHandler None AllowOverride None Satisfy Any Allow from all </Directory> # Protect our CGIs <Directory /var/www/cgi-bin> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms SYSTEMS.LAFAYETTE.EDU Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </Directory> # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" <Directory "/usr/share/ipa/migration"> AllowOverride None Satisfy Any Allow from all Options ExecCGI AddHandler wsgi-script .py </Directory> > > rob > > _______________________________________________ Freeipa-users > mailing list Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaI3QACgkQsZqG4IN3sumy3wCbBqmfPFIXwZOstNiH8jBY39hx +uQAn11DGp7RbKyM4PiV8VJ0NH1v4lwY =ol+i -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users