I'm running FreeIPA 3.2.0 Beta 1 in Fedora 19 Alpha, and I'm running oVirt 3.3.0 pre-Beta in Fedora 18.
In order to get oVirt's JGSS crap to work with FreeIPA, I had to change nsslapd-minssf to 1 (apparently a known issue right now in OpenJDK). But this setting seems to break ipa CLI, and when I change back to "nsslapd-minssf: 0" it stays broken, and FreeIPA's XML-RPC service returns a 500 error. Apache error_log says: [Tue May 07 17:06:04.698467 2013] [auth_kerb:error] [pid 705] [client 172.19.10.145:60593] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:06:04.703070 2013] [auth_kerb:error] [pid 705] [client 172.19.10.145:60593] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/ ds1.hackunix....@hackunix.org in cache collection), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:19:55.358418 2013] [auth_kerb:error] [pid 701] [client 172.19.10.145:60609] Could not get default Kerberos ccache: No credentials cache found (-1765328189), referer: https://ds1.hackunix.org/ipa/xml [Tue May 07 17:19:55.362419 2013] [auth_kerb:error] [pid 701] [client 172.19.10.145:60609] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Can't find client principal HTTP/ ds1.hackunix....@hackunix.org in cache collection), referer: https://ds1.hackunix.org/ipa/xml Since I got FreeIPA up and running, I've only been messing with the nsslapd-minssf value to get oVirt's Java code working against it. Not sure why FreeAPI is permabroke when it is basically stock, and I'm just flipping one minssf bit. Thanks! Derek
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
