On 11/08/2013 03:00 PM, Jonathan Underwood wrote:
> On 8 November 2013 13:46, Dmitri Pal <d...@redhat.com> wrote:
>> On 11/08/2013 08:17 AM, Jonathan Underwood wrote:
>>> Sooo.... I think that means the problem lies with apache and NSS, right?
>>
>>
>> Or in the negotiated authentication.
>> Is there anything in the kerberos logs on the server side?
> 
> Nothing error wise.
> 
>> Can you do an ldap connection using GSSAPI from the client?
> 
> Yep. (Note the client machine in all my tests has actually been the
> same machine as the server).
> 
>> May be KDC is not accessible because FW does allow access to the KDC port?
>>
> 
> Nope, tisn't that, have stopped the iptables service, and also done a
> setenforce 0.
> 
>> Just some ideas what to check...
>>
> 
> OK, I am getting closer to diagnosing the problem. On the server
> machine I had also configured apache to serve up another name based
> vhost. Removing that vhost config and restarting httpd caused the ipa
> ping command to work successfully. So, this seems to be a problem with
> httpd/mod_nss and hosting IPA and other vhosts. Note the other vhost
> wasn't using nss or ssl. I'll dig some more.

Thanks Jonathan. If you get some results, you are very welcome to report back
so that we can eventually file a bug, if it is really something that can be
improved/fixed in FreeIPA side.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to