Hey folks! I'm trying to run IPA and another wsgi piece of code (FASJSON) on the same VM, and I think I'm having trouble with the gssproxy config. I have set fasjson to a separate gssproxy socket (gssproxy conf & app env var), I have enabled logging in gssproxy, and it rejects authentication with: Stored ccache failed to decrypt; treating as empty. I don't think I've configured things much differently than how IPA is configured. FASJSON works fine with gssproxy when it's on its own VM, by the way. There is a ccache file created by mod_auth_gssapi in /run/fasjson/ccaches, and klist says it's encrypted by gssproxy In gssproxy config, fasjson has its own keytab set as cred_store, has allow_constrained_delegation set to true, and its own socket, but besides that it looks similar to the ipa-httpd service.
I didn't set any ccache: entry as a cred_store because IPA doesn't have it, and there is no substitution I can use to point to the file that mod_auth_gssapi has created, because it's named after the principal (/run/fasjson/ccaches/[email protected]) and gssproxy only has substitutes for username and user id. Also, when I tried to hardcode it, selinux prevented access, so I thought that's not how it's supposed to work. (as you may be able to tell, I've been at this for quite a while now ;-) ) Any idea what I'm doing wrong? I can provide config files and logs as needed. Thanks! Aurélien _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
