[Freeipa-users] Re: Apache unable to use ipa keytab

Evening, I am attempting to get apache authenticating with IPA but not sure why its rejecting the keytab. I have even recreated the keytab a number of times but this isn't making any difference.  To make sure the problem isn't anywhere else, I briefly used a httpasswd file and it worked fine, so confident it has to do with apache IPA integration.  Does anybody notice anything wrong with the setup below?  [Tue Jul 24 17:13:55.754808 2018] [auth_gssapi:debug] [pid 27797] mod_auth_gssapi.c(857): [client 192.168.20.221:46106 <http://192.168.20.221:46106/>] URI: /git/, no main, no prev [Tue Jul 24 17:13:55.809525 2018] [auth_gssapi:error] [pid 27797] [client 192.168.20.221:46106 <http://192.168.20.221:46106/>] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure.  Minor code may provide more information (Keytab FILE:/etc/httpd/conf.d/httpd.keytab is nonexistent or empty)] [Tue Jul 24 17:13:55.811160 2018] [ssl:debug] [pid 27797] ssl_engine_io.c(993): [client 192.168.20.221:46106 <http://192.168.20.221:46106/>] AH02001: Connection closed to child 3 with standard shutdown (server gitolite4.eng.example.com:443 <http://gitolite4.eng.example.com:443/>) Full log here: https://pastebin.com/v3KKVs6W However, the keytab looks fine. Keytab name: FILE:/etc/httpd/conf.d/httpd.keytab KVNO Timestamp           Principal ---- ------------------- ------------------------------------------------------    1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM <mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (aes256-cts-hmac-sha1-96)     1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM <mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (aes128-cts-hmac-sha1-96)     1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM <mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (des3-cbc-sha1)     1 07/23/2018 16:19:22 http/gitolite4.eng.example.com(a)ENG.EXAMPLE.COM <mailto:gitolite4.eng.example.com@ENG.EXAMPLE.COM> (arcfour-hmac)  [root@gitolite4 ~]# Also, I have confirmed this isn't selinux related [root@gitolite4 ~]# getenforce  Permissive This is the version of apache module that I am using. [root@gitolite4 ~]# rpm -qa | grep gssapi mod_auth_gssapi-1.5.1-5.el7.x86_64 python-gssapi-1.2.0-3.el7.x86_64 cyrus-sasl-gssapi-2.1.26-23.el7.x86_64 [root@gitolite4 ~]#  This is the configuration that I am using: <Location /git>     LimitXMLRequestBody 0     LimitRequestBody 0     AuthType GSSAPI     AuthName "Linux Account"     GssapiConnectionBound On     GssapiBasicAuth On     GssapiNegotiateOnce On     GssapiLocalName on     AuthzSendForbiddenOnFailure On     GssapiCredStore keytab:/etc/httpd/conf.d/httpd.keytab     GssapiSignalPersistentAuth On     GssapiSSLonly On     Require expr %{REMOTE_USER} =~ /(a)eng.example.com <http://eng.example.com/>$/ </Location>