On 8 November 2013 13:46, Dmitri Pal <d...@redhat.com> wrote:
> On 11/08/2013 08:17 AM, Jonathan Underwood wrote:
>> Sooo.... I think that means the problem lies with apache and NSS, right?
>
>
> Or in the negotiated authentication.
> Is there anything in the kerberos logs on the server side?

Nothing error wise.

> Can you do an ldap connection using GSSAPI from the client?

Yep. (Note the client machine in all my tests has actually been the
same machine as the server).

> May be KDC is not accessible because FW does allow access to the KDC port?
>

Nope, tisn't that, have stopped the iptables service, and also done a
setenforce 0.

> Just some ideas what to check...
>

OK, I am getting closer to diagnosing the problem. On the server
machine I had also configured apache to serve up another name based
vhost. Removing that vhost config and restarting httpd caused the ipa
ping command to work successfully. So, this seems to be a problem with
httpd/mod_nss and hosting IPA and other vhosts. Note the other vhost
wasn't using nss or ssl. I'll dig some more.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to