> On ti, 30 elo 2022, liang fei via FreeIPA-users wrote:
>
> This is long time unsupported version already. Is there any chance you'd
> move to something newer?
>
>
> Keytab for httpd service was moved to /var/lib/ipa/gssproxy/http.keytab
> in 2016. We stopped using /etc/httpd/conf/ipa.keytab (or
> /etc/apache2/ipa.keytab for Debian and Ubuntu) in that time.
>
>
> Perhaps your configuration lacks the rest of config files? May be it
> would be better to stand up a separate machine using the same version,
> for a test deployment and see what configuration files are present there
> and what files they reference. This way you'd have a reference point to
> compare your 'broken' replica against and would be able to recover
> those.
>
> The 'auth_gssapi:error' message above says that whatever a client sent
> as a Kerberos-based negotiation cannot be understood by the GSSAPI
> mechanism or the mechanism used was not allowed. Judging by 'No valid
> Negotiate header in server response' on the client side it may well be
> that configuration of mod_auth_gssapi + gssproxy was not correct on this
> machine.
This exception is really hard to understand, the prompt is not very friendly
ha, I asked rm -rf /etc/apache2/ipa.keytab prompted this exception, suddenly
thought that the user may not have permission, so I did
chown www-data:www-data /etc/apache2/ipa.keytab
Everything is fine
......
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
