Re: [Freeipa-devel] V4/Sub-CAs review

On Tue, May 17, 2016 at 01:28:15PM +0200, Jan Cholasta wrote: > > > 7) > > > > > > How is a certificate going to be requested from a specific sub-CA using > > > the > > > getcert command? > > > > > I added a preliminary design; add a new

Re: [Freeipa-devel] Added kpasswd_server directive in client krb5.conf

On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote: > Hi All, > > Please review patches attached. The port number should probably be changed from 749 to 464. HTH, Nalin -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH] 0010 Add 'host' setting into default.conf configuration file

On Tue, Sep 02, 2014 at 10:18:12AM +0200, Jan Cholasta wrote: Dne 27.8.2014 v 16:49 David Kupka napsal(a): On 08/27/2014 11:22 AM, Jan Cholasta wrote: Dne 26.8.2014 v 15:55 Rob Crittenden napsal(a): David Kupka wrote: On 08/26/2014 03:08 PM, Jan Cholasta wrote: Hi, Dne 26.8.2014 v 13:01

Re: [Freeipa-devel] [PATCH] 0008 Use certmonger D-Bus API instead of messing with its files.

On Wed, Sep 03, 2014 at 02:34:44PM +0200, Martin Kosek wrote: On 09/03/2014 02:07 PM, Jan Cholasta wrote: I was about to ask the same. Another option is to ask Nalin to update certmonger in F20. CCing Nalin. What is your take on this, do you plan to release it to F20. AFAIK, it is just

Re: [Freeipa-devel] [PATCH] 0010 Add 'host' setting into default.conf configuration file

On Wed, Sep 03, 2014 at 04:25:00PM +0200, Martin Kosek wrote: On 09/03/2014 03:41 PM, Jan Cholasta wrote: ldap_uri is set only on servers, on clients you should use server (we should probably un-deprecate it). You could use host as a fallback, but it will only work on servers, as it points

Re: [Freeipa-devel] Reasons for not using certmonger DBus API

On Thu, Jul 31, 2014 at 09:19:28AM +0200, Jan Cholasta wrote: If you mean host, yes, the man page says it's the server's hostname, but I don't think that's entirely true - it is currently set during server install, but it defaults to local hostname even on clients. IMO we could set it in

Re: [Freeipa-devel] Reasons for not using certmonger DBus API

On Wed, Jul 30, 2014 at 04:28:50PM +0200, Jan Cholasta wrote: These two functions are used to force local hostname in certmonger. IMO the right thing to do here would be to drop these two functions and fix ipa-submit so that it reads the required configuration from /etc/ipa/default.conf. Can

Re: [Freeipa-devel] Reasons for not using certmonger DBus API

On Wed, Jul 30, 2014 at 03:51:08PM +0200, David Kupka wrote: In fact it is almost enough complete for us. The only operation I can't find is 'write ca_external_helper'. add_principal_to_cas and remove_principal_from_cas are modifying this entry in ca file. Certmonger provide 'get_location'

Re: [Freeipa-devel] Reasons for not using certmonger DBus API

On Wed, Jul 23, 2014 at 11:32:52AM +0300, Alexander Bokovoy wrote: Were there DBus Python bindings available in RHEL 5/6 at the time when the code was written? Yes, but the API itself wasn't all there, and large parts of the internals needed to be rewritten around its 0.53 release. Before

Re: [Freeipa-devel] Reasons for not using certmonger DBus API

On Wed, Jul 23, 2014 at 10:12:39AM +0200, Martin Kosek wrote: Certmonger API looked complete enough to pull this off: https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt If I am wrong, please tell me. No, it's meant to be complete -- the getcert command only uses the APIs to

Re: [Freeipa-devel] [PATCHES] 295-299 Allow changing chaining of the IPA CA certificate

On Fri, Jun 27, 2014 at 06:19:25PM -0400, Rob Crittenden wrote: How it is monitoring with a ca-error I don't know. If there's a previously-issued certificate present, the state machine goes back to monitoring rather than the dead-end rejected state, so that it'll try again later when certificate

Re: [Freeipa-devel] CA certificate renewal, shared store trust settings

On Fri, May 30, 2014 at 09:09:46AM +0200, Jan Cholasta wrote: On 29.5.2014 19:44, Nalin Dahyabhai wrote: I'm working on adding to certmonger the ability to read the IPA root certificate from the server and store it locally, and I'm looking at the V4 shared certificate store feature [1

[Freeipa-devel] CA certificate renewal, shared store trust settings

I'm working on adding to certmonger the ability to read the IPA root certificate from the server and store it locally, and I'm looking at the V4 shared certificate store feature [1] with an eye toward also pulling down and processing those certificates. Before I head down that path, I've got a

[Freeipa-devel] [PATCH] BuildRequires: rhino in .spec file

org.mozilla.javascript.tools.shell.Main Error: Could not find or load main class org.mozilla.javascript.tools.shell.Main Those classes are provided by the 'rhino' package in Raw Hide, so I suggest adding it as a build-time requirement. Nalin From b8b146c09c9c77105f4f48743cd6d59ca6903f16 Mon Sep 17 00:00:00 2001 From: Nalin

[Freeipa-devel] Handling of multiple krbPrincipalNames and of krbCanonicalNames

d4330cd204757bdbbcb50164d03fedf864d6b736 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@dahyabhai.net Date: Mon, 7 Oct 2013 15:24:29 -0400 Subject: [PATCH 1/4] Accept any alias, not just the last value If the entry's krbPrincipalName attribute is multi-valued, accept any of the values, not just the last one

Re: [Freeipa-devel] [PATCH 111] ipa-client-install: Publish CA certificate to systemwide store

On Tue, Sep 24, 2013 at 01:30:10PM +0200, Jan Cholasta wrote: We discussed this with Tomáš off-line and it turns out that ipa-client-install fails if the CA cert is not added to /etc/pki/nssdb. However, according to p11-kit docs it should work:

Re: [Freeipa-devel] Multiple CA certificates in LDAP, questions

On Mon, Sep 09, 2013 at 10:05:59AM -0400, John Dennis wrote: On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote: I'd expect it to depend heavily on whether or not you're chaining up to an external CA. Personally, I'd very much want to keep a different set of trust anchors for PKINIT

Re: [Freeipa-devel] Multiple CA certificates in LDAP, questions

On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote: Good point. Isn't there an X509 extension (possibly part of PKIX?) which restricts membership in the chain path to a criteria. In other words you can require your sub-CA to be present in the chain. Sorry, but my memory is a bit fuzzy

Re: [Freeipa-devel] Multiple CA certificates in LDAP, questions

On Mon, Sep 09, 2013 at 01:07:09PM -0700, Henry B. Hotz wrote: On Sep 9, 2013, at 9:02 AM, Nalin Dahyabhai na...@redhat.com wrote: On Mon, Sep 09, 2013 at 10:32:08AM -0400, John Dennis wrote: Good point. Isn't there an X509 extension (possibly part of PKIX?) which restricts membership

Re: [Freeipa-devel] [PATCH] slapi-nis support for trusted domains

On Mon, Aug 05, 2013 at 03:45:06PM +0300, Alexander Bokovoy wrote: OK, fair enough. I did use of libsss_nss_idmap optional. For tests I think we need to involve nsswrapper here to make sure of a predictable testing. I've added: --with-nsswitch use nsswitch API to look up users

Re: [Freeipa-devel] [PATCH] slapi-nis support for trusted domains

Crikey, that was fast. On Fri, Aug 02, 2013 at 04:44:33PM +0300, Alexander Bokovoy wrote: On Thu, 01 Aug 2013, Nalin Dahyabhai wrote: HEAD~10: * Add internal whitespace when computing the value to pass to slapi_ch_malloc(). * Break the declaration and initialization of str into two lines

Re: [Freeipa-devel] [PATCH] slapi-nis support for trusted domains

On Wed, Jul 31, 2013 at 03:53:21PM +0300, Alexander Bokovoy wrote: Authentication is handled for both IPA and trusted domain users. The former case requires some specific handling of the SLAPI_BIND_TARGET_SDN to rewrite it to the original entry's DN. As result successful bind looks like this

Re: [Freeipa-devel] [PATCH] slapi-nis support for trusted domains

Apologies for the delay. On Mon, Jul 15, 2013 at 08:30:03PM +0300, Alexander Bokovoy wrote: Here is the logic: 0. Configuration is performed by setting schema-compat-lookup-sssd: user|group schema-compat-sssd-min-id: value in corresponding schema-compat plugin tree (cn=users and

Re: [Freeipa-devel] [PATCH] slapi-nis support for trusted domains

On Tue, Jul 23, 2013 at 10:15:47AM +0300, Alexander Bokovoy wrote: On Tue, 23 Jul 2013, Nalin Dahyabhai wrote: Apologies for the delay. Thanks for the review! One short comment -- PAM code is from PAM pass-through plugin from 389-ds. That's the reason why its code doesn't follow slapi-nis

Re: [Freeipa-devel] [PATCH] 1079 address CA subsystem renewal issues

On Fri, Jan 11, 2013 at 06:49:08PM -0500, Rob Crittenden wrote: Revised patch that takes advantage of new version of certmonger. certmonger-0.65 adds locking from the time renewal begins to the end of the post_save_command. A note: the lock isn't obtained until after we've obtained a

Re: [Freeipa-devel] [PATCH] 1072 enable transaction support

On Tue, Nov 20, 2012 at 02:08:04PM +0100, Martin Kosek wrote: 4) nsslapd-pluginbetxn is not set for schema compatibility plugin after upgrade: # Schema Compatibility, plugins, config dn: cn=Schema Compatibility,cn=plugins,cn=config nsslapd-pluginId: schema-compat-plugin cn: Schema

Re: [Freeipa-devel] [PATCH] 1072 enable transaction support

On Thu, Nov 15, 2012 at 11:53:44PM -0500, Rob Crittenden wrote: In order for this to work you'll need to apply the last two patches (both 0001) to slapi-nis and spin it up yourself, otherwise you'll have serious deadlock issues. I know this is extra work but this patch is potentially

Re: [Freeipa-devel] slow response

On Fri, Oct 05, 2012 at 12:02:52PM -0700, Stephen Ingram wrote: As I'm thinking this might also solve my IPA large memory usage issue, I've been following this bug and see there is now a patch for it. I also see it is in QA along with several other IPA-related (and non-IPA-related) Kerberos

Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

On Mon, Sep 10, 2012 at 04:58:40PM -0400, Rob Crittenden wrote: certificate renewal failed. I spent far too long trying to figure out why tomcat wasn't listening on port 9180 but failed. I think 9180 is actually the old server, right? So another missing dependency on a fixed certmonger? The

Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

On Wed, Aug 29, 2012 at 08:48:32AM -0400, Ade Lee wrote: Incidentally, I ran this in permmissive selinux mode. The following rules are required to be added: #= certmonger_t == corenet_tcp_connect_http_cache_port(certmonger_t)

Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

On Wed, Sep 05, 2012 at 05:08:12PM -0400, Ade Lee wrote: On Wed, 2012-09-05 at 16:43 -0400, Nalin Dahyabhai wrote: On Wed, Aug 29, 2012 at 08:48:32AM -0400, Ade Lee wrote: Incidentally, I ran this in permmissive selinux mode. The following rules are required to be added

Re: [Freeipa-devel] [PATCH] 1033 renew CA subsystem certificates

On Mon, Jul 16, 2012 at 09:23:24AM -0400, Rob Crittenden wrote: Use the new certmonger capability to be able to renew the dogtag subsystem certificates (audit, OCSP, etc). Are the copies of the certificates in the pki-ca CS.cfg file being updated elsewhere? Or is it not turning out to be a

Re: [Freeipa-devel] [PATCH] compat ieee802Device entries for ipaHost entries

need it. Thanks! Nalin From 837575de789228428618e1338256321769720abb Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@dahyabhai.net Date: Mon, 16 Apr 2012 15:31:12 -0400 Subject: [PATCH 2/3] - create a cn=computers compat area populated with ieee802Device entries corresponding to computers

Re: [Freeipa-devel] [PATCH] add ethers.byname and ethers.byaddr NIS maps

the configuration just makes sure that the list of keys starts out at the same length as the list of values, and then uses the regex to strip out the parts we don't want. Revised patch attached. Cheers, Nalin From 33aea09a1c1b48d6dcc3deef884fd33c938a1d6f Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na

Re: [Freeipa-devel] [PATCH] compat ieee802Device entries for ipaHost entries

On Mon, Apr 23, 2012 at 05:03:28PM +0200, Jan Cholasta wrote: On 16.4.2012 22:39, Nalin Dahyabhai wrote: This bit of configuration creates a cn=computers area under cn=compat which we populate with ieee802Device entries corresponding to any ipaHost entries which have both fqdn and macAddress

Re: [Freeipa-devel] [PATCH] index fqdn and macAddress attributes

On Mon, Apr 23, 2012 at 04:40:11PM +0200, Jan Cholasta wrote: On 16.4.2012 22:32, Nalin Dahyabhai wrote: When we implement ticket #2259, indexing fqdn and macAddress should help the Schema Compatibility and NIS Server plugins locate relevant computer entries more easily. Please add

Re: [Freeipa-devel] [PATCH] add ethers.byname and ethers.byaddr NIS maps

On Mon, Apr 23, 2012 at 05:40:27PM +0200, Jan Cholasta wrote: On 23.4.2012 17:21, Jan Cholasta wrote: On 16.4.2012 22:51, Nalin Dahyabhai wrote: The ethers.byname and ethers.byaddr NIS maps pair host names and hardware network addresses. This should close ticket #2259. Please add

[Freeipa-devel] [PATCH] index fqdn and macAddress attributes

When we implement ticket #2259, indexing fqdn and macAddress should help the Schema Compatibility and NIS Server plugins locate relevant computer entries more easily. Nalin From 44491a90ae258e3932a7a19d61313d28f8936978 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@dahyabhai.net Date: Mon

[Freeipa-devel] [PATCH] compat ieee802Device entries for ipaHost entries

This bit of configuration creates a cn=computers area under cn=compat which we populate with ieee802Device entries corresponding to any ipaHost entries which have both fqdn and macAddress values. Nalin From 7cffe5a5d62e54e1dc7c621df131f621e49c14f5 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na

[Freeipa-devel] [PATCH] add ethers.byname and ethers.byaddr NIS maps

The ethers.byname and ethers.byaddr NIS maps pair host names and hardware network addresses. This should close ticket #2259. Nalin From a69406b83496c053dbe68ab7e019c86242c06565 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@dahyabhai.net Date: Mon, 16 Apr 2012 15:33:42 -0400 Subject

Re: [Freeipa-devel] [PATCH] 998 certmonger restarts services on renewal

On Mon, Apr 02, 2012 at 03:47:20PM +0200, Martin Kosek wrote: On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote: Certmonger will currently automatically renew server certificates but doesn't restart the services so you can still end up with expired certificates if you services never

Re: [Freeipa-devel] IPAv2 on SL6.2 using NIS fails with Failed password error

On Fri, Mar 09, 2012 at 04:06:33PM -0500, Dmitri Pal wrote: As far as I understand underlying DS can also be configured to create weak hashes needed for NIS but it is not recommended. But this is something that gurus should confirm. The NIS server will serve up password hashes which

Re: [Freeipa-devel] [PATCH] 913 Fix pylint failures on F-16

On Thu, Dec 08, 2011 at 04:14:38PM -0500, Rob Crittenden wrote: A few things need to be updated to make the ipa-2-1 branch build in F-16 with pylint. I've updated the example to use the object's default_attribute list instead of using output_params(), this is preferred anyway I also

Re: [Freeipa-devel] [PATCH] #2038 modify salt creation

On Thu, Nov 03, 2011 at 06:26:15PM -0400, Simo Sorce wrote: As stated in the bug in order to attain better interoperability with Windows clients we need to change the way we generate the random salt. Nack. The data in a krb5_data is of type 'char', and if it's signed, the math used here

Re: [Freeipa-devel] [PATCH] #2038 modify salt creation

On Fri, Nov 04, 2011 at 04:45:02PM -0400, Simo Sorce wrote: After a quick review with nalin offline I decided for a different approach that properly covers the range of values we want and is more similar to the initial code. New patches attached. Looks good to me. Please bump up

Re: [Freeipa-devel] change to interface used to provide certificates

On Fri, Oct 14, 2011 at 11:23:27PM -0400, John Dennis wrote: Importing and exporting certs via the web UI and command line are not common operations. The only significant impact changing to requiring PEM input would be on our automated tests which would have to make sure they supplied PEM

[Freeipa-devel] [PATCH] tweaks to ipa-replica-prepare.1

I started reading this page, and the description for --pkinit_pin looked wrong. While in there, I figured it might be useful to note that the PKCS#12 files also contain the private keys. Nalin From 8fe270e43d7790dbd4210be9ff212ce410e3da69 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na

[Freeipa-devel] [PATCH] Select a server with a CA on it when submitting signing requests.

, behave as before, and let the error we previously would have gotten for trying to submit a signing request to a non-CA happen. Nalin From 373fd1a878f39361a33c58e7ccf6057159d203be Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@dahyabhai.net Date: Wed, 8 Jun 2011 11:09:28 -0400 Subject

Re: [Freeipa-devel] Determine KDC for a website

On Thu, Mar 17, 2011 at 08:03:14PM -0400, Adam Young wrote: I'm trying to figure out what should happen in the following case; A user goes to a website that they've never visited before. The site is using Kerberos, and thus the browser gets back a Negotiate response. At this point, the

[Freeipa-devel] [PATCH] drop the group.upg NIS map

The group.upg NIS map was an experiment in providing UPG groups dynamically, and is not one of the maps that I'd ever expect a NIS client to know to search. We should probably just drop it. --- install/share/nis.uldif | 12 1 files changed, 0 insertions(+), 12 deletions(-) diff

Re: [Freeipa-devel] Dropping support for Fedora 13

On Fri, Jan 14, 2011 at 08:00:40AM -0500, Stephen Gallagher wrote: Please leave the SSSD building for F13 for a while yet. We do have users playing with it there. Ok. Just ipa itself, then. Nalin ___ Freeipa-devel mailing list

Re: [Freeipa-devel] Dropping support for Fedora 13

On Wed, Jan 12, 2011 at 05:49:42PM -0500, Rob Crittenden wrote: With the patch titled '674 drop build dep on mozlap' freeipa v2 will no longer build on Fedora 13. So just to be clear, we should stop trying to build git snapshot builds on f13? If so, is this for everything, just the freeipa

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

On Thu, Dec 09, 2010 at 02:59:55PM -0500, Dmitri Pal wrote: 1) Adjust the compat plugin as described above Attached for testing. Patch 0001 we've seen before; 0002's new. Nalin From 1afcb4d6163f5b8137cb1f2e832714e046345ca7 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@redhat.com Date

Re: [Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

On Wed, Dec 08, 2010 at 11:12:34PM +, JR Aquino wrote: I guess the piece that is still missing then is: Instead of: sudoHost: hostname.com It should be: sudoHost: +production - which is the group assigned to the ipasudorule. The memberHost

[Freeipa-devel] [PATCH] sudo and netgroup schema compat updates

entries is of no concern to me. Cheers, Nalin From 9baefea23f5b944d244eed4bef3f85df3203ae45 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@redhat.com Date: Tue, 30 Nov 2010 18:25:33 -0500 Subject: [PATCH] sudo and netgroup schema compat updates - fix quoting in the netgroup compat configuration

[Freeipa-devel] [PATCH] build tweaks

workarounds for when we were running it in 'gnu' mode. Nalin From 5bb5c58a0ac713069fbd44cb8b7906485648de13 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@redhat.com Date: Wed, 24 Nov 2010 17:39:46 -0500 Subject: [PATCH] build tweaks - use automake's foreign mode, avoid creating empty files

Re: [Freeipa-devel] Where we are with SUDO?

is available! Attached. You'll need the current snapshot of slapi-nis in order to get functionality that the new configuration patch depends on. Cheers, Nalin From 96e6467b20c69051147ed1dc9d7023169cce7c7e Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@redhat.com Date: Tue, 23 Nov 2010 15:38:40

[Freeipa-devel] [PATCH] nis and schema-compat: heed userCategory and hostCategory in netgroups

7a76e7b25026ebd1596040892bc95e1deda777eb Author: Nalin Dahyabhai na...@redhat.com Date: Wed Nov 3 18:57:33 2010 -0400 - add support for hostCategory and userCategory diff --git a/install/share/nis.uldif b/install/share/nis.uldif index d6a3644..f23b49e 100644 --- a/install/share/nis.uldif +++ b/install

Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed

On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: Simo Sorce wrote: Can you do a modrdn modification on a compat plugin entry ? Well, right, I don't know :-) And if not, what error would be raised and do/should we catch it? You should get an insufficient-access (0.17 and

Re: [Freeipa-devel] [PATCH] #333 plugin to change kerberos principal name when user is renamed

On Mon, Oct 25, 2010 at 11:45:45AM -0400, Simo Sorce wrote: On Mon, 25 Oct 2010 11:42:09 -0400 Nalin Dahyabhai na...@redhat.com wrote: On Mon, Oct 25, 2010 at 10:53:19AM -0400, Rob Crittenden wrote: Simo Sorce wrote: Can you do a modrdn modification on a compat plugin entry

[Freeipa-devel] [PATCH] fix typo in install/updates/30-automount.update

This'll keep cn=default,cn=automount,$SUFFIX from getting a second cn value that it doesn't need. Nalin From 5a1992896dcf33f382b475ef9e09e9b2ff2c48c3 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai na...@redhat.com Date: Mon, 22 Feb 2010 16:23:39 -0500 Subject: [PATCH 1/1] - fix a typo

[Freeipa-devel] [PATCH] add krbCanonicalName to the schema

We'll need to incorporate this from krb5 1.7 as a prerequisite for maybe issuing server referrals at some point. Nalin From d0faa0e87ea1f4c211d29f78dc95e7953eaabee6 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai nalin.dahyab...@pobox.com Date: Thu, 4 Feb 2010 10:46:43 -0500 Subject: [PATCH 1/1

[Freeipa-devel] [PATCH] more basic stuff for krbCanonicalName

Just like the krbPrincipalName attribute, we want to let the KDC read the krbCanonicalName, if it's set, and we want it to be unique as well. Nalin From ff32dfe1f68a3ec20d247adbe042307eeb919e6b Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai nalin.dahyab...@pobox.com Date: Thu, 4 Feb 2010 11:02:49

[Freeipa-devel] Certificate enrollment, principal names

I think I'm getting closer to having certmonger (the provider of the ipa-getcert command) be useful enough to throw certificate enrollment requests at the IPA server, and I've got a couple of questions about how the server decides what it will issue and what it puts in the certificates that it

Re: [Freeipa-devel] Fedora12: Looping detected inside krb5_get_in_tkt

On Mon, Oct 12, 2009 at 10:17:21PM -0600, Jason Gerard DeRose wrote: To help ensure that my new UI patch wont break our daily builds, I've tried building it under Fedora 12 as it has python-assets and python-wehjit. It builds fine, but when I kinit, I get this error: [r...@fedora12 ~]#