Nathan Lager wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On 09/19/2012 03:47 PM, Rob Crittenden wrote:
Dmitri Pal wrote:

Rob, keytab and kerberos part seems to be fine, ldap works too.
Can it be one of the certs? May be some cert expired?

No, the error is coming from GSSAPI, it is unfortunately
completely useless. I think we've pretty well narrowed down the
problem to httpd/mod_auth_kerb but I don't know yet if this is a
configuration issue or a bug.

Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
Sure, as far as I know its completely stock, aside from the krb
password auth change.

Yup, configuration looks fine.

Ok, let's eliminate the ipa tool as the problem and try curl:

Create a file test.json with these contents:

{"method":"batch","params":[[
        {"method":"user_show","params":[["admin"],{"all":false}]}
        ],{}],"id":1}

then run this:

curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" -H "Referer: https://caroline0.lafayette.edu/ipa/xml"; --negotiate -u : --cacert /etc/ipa/ca.crt -d @test.json -X POST https://caroline0.lafayette.edu/ipa/json

This does the equivalent of an: ipa user-show admin

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to