David Zabner wrote: > Any guesses as to why I couldn’t revert to using the mod_auth_kerb library? > It seems like this is the only place where the library is referenced one way > or the other… >
You need to set this globally: KrbConstrainedDelegationLock ipa And I assume you replaced $realm with your actual realm, right? It would also be useful to know how it doesn't work. rob > Thanks for all your help. > >> On Jan 29, 2016, at 6:35 AM, Petr Spacek <pspa...@redhat.com> wrote: >> >> Interesting, we have to investigate it! >> >> Here is a ticket: >> https://fedorahosted.org/freeipa/ticket/5653 >> >> You can Cc yourself to it and watch the progress. >> >> Petr^2 Spacek >> >> On 28.1.2016 20:17, David Zabner wrote: >>> I was guessing that it was a problem with mod_auth_gssapi and so I tried >>> switching the auth method back to mod_auth_kerb which did not work. >>> (although it is entirely possible that I did not switch it correctly) >>> >>> I did it by changing the gssapi settings in /etc/httpd/conf.d/ipa.conf to: >>> <Location "/ipa"> >>> AuthType Kerberos >>> AuthName "Kerberos Login" >>> KrbMethodNegotiate on >>> KrbMethodK5Passwd off >>> KrbServiceName HTTP >>> KrbAuthRealms $realm >>> Krb5KeyTab /etc/httpd/conf/ipa.keytab >>> KrbSaveCredentials on >>> KrbConstrainedDelegation on >>> Require valid-user >>> ErrorDocument 401 /ipa/errors/unauthorized.html >>> </Location> >>> It just seemed to cause other problems... >>> >>> On Jan 28, 2016, at 1:44 PM, Izzo, Anthony >>> <aizz...@harris.com<mailto:aizz...@harris.com>> wrote: >>> >>> I should add that some of my team members have tried serializing their >>> instance launches, and this problem does not seem to occur under those >>> circumstances. (That’s not a solution, just a data point for those >>> interested in this behavior). Thanks. >>> >>> >>> From: Izzo, Anthony (U.S. Person) >>> Sent: Thursday, January 28, 2016 1:35 PM >>> To: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >>> Cc: 'David Zabner' <da...@cazena.com<mailto:da...@cazena.com>> >>> Subject: RE: [Freeipa-users] Server error with multiple clients joining >>> domain simultaneously >>> >>> Yes, that’s it! >>> >>> From: David Zabner [mailto:da...@cazena.com] >>> Sent: Thursday, January 28, 2016 1:31 PM >>> To: Izzo, Anthony (U.S. Person) >>> <aizz...@harris.com<mailto:aizz...@harris.com>> >>> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> >>> Subject: Re: [Freeipa-users] Server error with multiple clients joining >>> domain simultaneously >>> >>> This sounds exactly like the problem I am having. I will attach my error >>> log. Is this what yours looks like? >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >>> >>> >> >> >> -- >> Petr^2 Spacek >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project