On 11/08/2013 03:00 PM, Jonathan Underwood wrote: > On 8 November 2013 13:46, Dmitri Pal <[email protected]> wrote: >> On 11/08/2013 08:17 AM, Jonathan Underwood wrote: >>> Sooo.... I think that means the problem lies with apache and NSS, right? >> >> >> Or in the negotiated authentication. >> Is there anything in the kerberos logs on the server side? > > Nothing error wise. > >> Can you do an ldap connection using GSSAPI from the client? > > Yep. (Note the client machine in all my tests has actually been the > same machine as the server). > >> May be KDC is not accessible because FW does allow access to the KDC port? >> > > Nope, tisn't that, have stopped the iptables service, and also done a > setenforce 0. > >> Just some ideas what to check... >> > > OK, I am getting closer to diagnosing the problem. On the server > machine I had also configured apache to serve up another name based > vhost. Removing that vhost config and restarting httpd caused the ipa > ping command to work successfully. So, this seems to be a problem with > httpd/mod_nss and hosting IPA and other vhosts. Note the other vhost > wasn't using nss or ssl. I'll dig some more.
Thanks Jonathan. If you get some results, you are very welcome to report back so that we can eventually file a bug, if it is really something that can be improved/fixed in FreeIPA side. Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
