[Freeipa-users] sudden ipa errors.
Rob Crittenden
rcritten at redhat.com
Wed Sep 19 20:35:30 UTC 2012
Nathan Lager wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On 09/19/2012 03:47 PM, Rob Crittenden wrote:
>> Dmitri Pal wrote:
>>>
>>> Rob, keytab and kerberos part seems to be fine, ldap works too.
>>> Can it be one of the certs? May be some cert expired?
>>
>> No, the error is coming from GSSAPI, it is unfortunately
>> completely useless. I think we've pretty well narrowed down the
>> problem to httpd/mod_auth_kerb but I don't know yet if this is a
>> configuration issue or a bug.
>>
>> Nathan, can you show me your /etc/httpd/conf.d/ipa.conf?
> Sure, as far as I know its completely stock, aside from the krb
> password auth change.
Yup, configuration looks fine.
Ok, let's eliminate the ipa tool as the problem and try curl:
Create a file test.json with these contents:
{"method":"batch","params":[[
{"method":"user_show","params":[["admin"],{"all":false}]}
],{}],"id":1}
then run this:
curl -H "Content-Type:application/json" -H "Accept:application/json" -H
"Accept-Language:en" -H "Referer:
https://caroline0.lafayette.edu/ipa/xml" --negotiate -u : --cacert
/etc/ipa/ca.crt -d @test.json -X POST
https://caroline0.lafayette.edu/ipa/json
This does the equivalent of an: ipa user-show admin
rob
More information about the Freeipa-users
mailing list