https://bugzilla.redhat.com/show_bug.cgi?id=789459 (Red Hat Enterprise Linux 6)
Description of problem: kinit as admin, and then access UI. But Internal server error is thrown. Checked about:config: network.negotiate-auth.delegation-uris; status-default; type:string; value is not set Rob took a look, and suspects the web server isn't getting the browser's TGT and in raising that error it is running into another one. The second error is trying to report the user whose TGT we didn't get and since we don't have the TGT <boom> Also checked /var/log/krb5kdc.log, but didn't see any CONSTRAINED DELEGATION. Only ISSUE We should report the right error even if the client doesn't send us a TGT. Version-Release number of selected component (if applicable): ipa-server-2.2.0-101.20120209T0933zgit52cf9d9.el6.x86_64 How reproducible: Steps to Reproduce: 1. kinit as admin 2. access ui from browser Actual results: internal server error Expected results: Be able to access UI successfully Additional info:
Trying to raise some exceptions in the WSGI code just raised other exceptiosn and were generally confusing.
To test this do various combinations (with and without a ccache) of:
curl -kv https://ipa.example.com/ipa/json --negotiate -u : -H 'Referer: https://ipa.example.com/ipa/json' curl -kv https://ipa.example.com/ipa/json --negotiate -u : curl -kv https://ipa.example.com/ipa/xml --negotiate -u : -H 'Referer: https://ipa.example.com/ipa/xml' curl -kv https://ipa.example.com/ipa/json --negotiate -u :
If you want to get really clever set krbConstrainedDelegation to off in ipa.conf and restart and try them all again.
attachment freeipa-rcrit-977-wsgi.patch
master: 95b85f6[[BR]] ipa-2-2: c941ecf
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.