David Zabner wrote: > Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? > It seems like this is the only place where the library is referenced one way > or the other… >
You need to set this globally: KrbConstrainedDelegationLock ipa And I assume you replaced $realm with your actual realm, right? It would also be useful to know how it doesn't work. rob > Thanks for all your help. > >> On Jan 29, 2016, at 6:35 AM, Petr Spacek <[email protected]> wrote: >> >> Interesting, we have to investigate it! >> >> Here is a ticket: >> https://fedorahosted.org/freeipa/ticket/5653 >> >> You can Cc yourself to it and watch the progress. >> >> Petr^2 Spacek >> >> On 28.1.2016 20:17, David Zabner wrote: >>> I was guessing that it was a problem with mod_auth_gssapi and so I tried >>> switching the auth method back to mod_auth_kerb which did not work. >>> (although it is entirely possible that I did not switch it correctly) >>> >>> I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to: >>> <Location "/ipa"> >>> AuthType Kerberos >>> AuthName "Kerberos Login" >>> KrbMethodNegotiate on >>> KrbMethodK5Passwd off >>> KrbServiceName HTTP >>> KrbAuthRealms $realm >>> Krb5KeyTab /etc/httpd/conf/ipa.keytab >>> KrbSaveCredentials on >>> KrbConstrainedDelegation on >>> Require valid-user >>> ErrorDocument 401 /ipa/errors/unauthorized.html >>> </Location> >>> It just seemed to cause other problems... >>> >>> On Jan 28, 2016, at 1:44 PM, Izzo, Anthony >>> <[email protected]<mailto:[email protected]>> wrote: >>> >>> I should add that some of my team members have tried serializing their >>> instance launches, and this problem does not seem to occur under those >>> circumstances. (That’s not a solution, just a data point for those >>> interested in this behavior). Thanks. >>> >>> >>> From: Izzo, Anthony (U.S. Person) >>> Sent: Thursday, January 28, 2016 1:35 PM >>> To: [email protected]<mailto:[email protected]> >>> Cc: 'David Zabner' <[email protected]<mailto:[email protected]>> >>> Subject: RE: [Freeipa-users] Server error with multiple clients joining >>> domain simultaneously >>> >>> Yes, that’s it! >>> >>> From: David Zabner [mailto:[email protected]] >>> Sent: Thursday, January 28, 2016 1:31 PM >>> To: Izzo, Anthony (U.S. Person) >>> <[email protected]<mailto:[email protected]>> >>> Cc: [email protected]<mailto:[email protected]> >>> Subject: Re: [Freeipa-users] Server error with multiple clients joining >>> domain simultaneously >>> >>> This sounds exactly like the problem I am having. I will attach my error >>> log. Is this what yours looks like? >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >> >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
