On 8 November 2013 13:46, Dmitri Pal <d...@redhat.com> wrote: > On 11/08/2013 08:17 AM, Jonathan Underwood wrote: >> Sooo.... I think that means the problem lies with apache and NSS, right? > > > Or in the negotiated authentication. > Is there anything in the kerberos logs on the server side?
Nothing error wise. > Can you do an ldap connection using GSSAPI from the client? Yep. (Note the client machine in all my tests has actually been the same machine as the server). > May be KDC is not accessible because FW does allow access to the KDC port? > Nope, tisn't that, have stopped the iptables service, and also done a setenforce 0. > Just some ideas what to check... > OK, I am getting closer to diagnosing the problem. On the server machine I had also configured apache to serve up another name based vhost. Removing that vhost config and restarting httpd caused the ipa ping command to work successfully. So, this seems to be a problem with httpd/mod_nss and hosting IPA and other vhosts. Note the other vhost wasn't using nss or ssl. I'll dig some more. _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users