Hello all, i suppose the issue is quite typical but still unable to find any solution.
All i need is to run some ipa cli commands from scripts with preliminary kinit I manage to authenticate as
kinit -F -k -t <keytab> <principal>
That allows me to use ldap for example, i can do ldapsearch -Y GSSAPI etc However, when trying to run cli commands, i'm getting the following
sh-4.2# ipa user-find aaa ipa: ERROR: cannot connect to 'any of the configured servers': https://<idm0>/ipa/json, https://<idm1>/ipa/json
This is caused by wsgi module, as it said in httpd error log
[Mon Dec 04 06:45:45.027199 2017] [:error] [pid 1745] ipa: ERROR: 500 Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment [Mon Dec 04 06:45:45.027769 2017] [:error] [pid 1745] [remote ...:60] mod_wsgi (pid=1745): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
At the same time when i do kinit <same principal> with manual password input, everything works as intended. IPA has been upgraded to latest 4.5.0, wsgi module after yum update is
Name : mod_wsgi Arch : x86_64 Version : 3.4 Release : 12.el7_0 Size : 197 k
I never configured anything manually, so barely broke anything. Please any ideas
On 12/04/2017 03:57 PM, skrawczenko--- via FreeIPA-users wrote:
Hello all, i suppose the issue is quite typical but still unable to find any solution.
All i need is to run some ipa cli commands from scripts with preliminary kinit I manage to authenticate as
kinit -F -k -t <keytab> <principal>
That allows me to use ldap for example, i can do ldapsearch -Y GSSAPI etc However, when trying to run cli commands, i'm getting the following
sh-4.2# ipa user-find aaa ipa: ERROR: cannot connect to 'any of the configured servers': https://<idm0>/ipa/json, https://<idm1>/ipa/json
This is caused by wsgi module, as it said in httpd error log
[Mon Dec 04 06:45:45.027199 2017] [:error] [pid 1745] ipa: ERROR: 500 Internal Server Error: KerberosWSGIExecutioner.__call__: KRB5CCNAME not defined in HTTP request environment [Mon Dec 04 06:45:45.027769 2017] [:error] [pid 1745] [remote ...:60] mod_wsgi (pid=1745): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'.
At the same time when i do kinit <same principal> with manual password input, everything works as intended. IPA has been upgraded to latest 4.5.0, wsgi module after yum update is
Name : mod_wsgi Arch : x86_64 Version : 3.4 Release : 12.el7_0 Size : 197 k
I never configured anything manually, so barely broke anything. Please any ideas _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
I believe that the difference is linked to the -F option: you are asking for a non-forwardable ticket when using the keytab. Can you retry without -F and see if it fixes your issue?
Flo
Great, it helped.
googled it at https://www.redhat.com/archives/freeipa-users/2014-March/msg00044.html
Thanks a lot!
freeipa-users@lists.fedorahosted.org