[Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33
Dmitri Pal
dpal at redhat.com
Mon May 19 19:41:00 UTC 2008
Hi Mark,
Thank you for sharing the recommendation with us.
Can you please log a request into bugzilla?
https://bugzilla.redhat.com
Did you do kinit first?
Did you add the realm into the FireFox configuration?
Thank you
Dmitri Pal
Mark Christiansen wrote:
> I fixed my problems with ipa* functions by modifying /etc/hosts so
> that my FQDN entry is first, and the localhost entry is not first. I
> am guessing this is where most other people will have their problems.
> Can we modify the FAQ to include this recommendation?
>
> I am having issues getting access to the web page outside of the
> machine with freeipa installed. Should I be able to get a ticket by
> accessing the web interface? In both IE and Firefox, I am unable to
> bring up any pages after getting prompted. In IE, it is blank, and
> Firefox I get Kerberos authentication failed. This is another noob
> question, but perhaps it will be helpful for the FAQ. My O'Reilly
> book on Kerberos is on its way. :)
>
> Thanks!
>
> -Mark
>
> On Mon, May 19, 2008 at 9:00 AM, <freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>> wrote:
>
> Send Freeipa-devel mailing list submissions to
> freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> or, via email, send a message with subject or body 'help' to
> freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>
>
> You can reach the person managing the list at
> freeipa-devel-owner at redhat.com
> <mailto:freeipa-devel-owner at redhat.com>
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeipa-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: freeIPA + Fedora 9 + xen , can't get passed ipa-finduser
> admin (Rob Crittenden)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 19 May 2008 11:39:45 -0400
> From: Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>
> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get
> passed ipa-finduser admin
> To: Jaakan Shorter <jaakanshorter at gmail.com
> <mailto:jaakanshorter at gmail.com>>
> Cc: freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>
> Message-ID: <48319F41.7040707 at redhat.com
> <mailto:48319F41.7040707 at redhat.com>>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Jaakan Shorter wrote:
> > here's an update ( I replaced the domain name with test )
> > let me know if you need anymore info
> >
> > ipa-server-install --uninstall
> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab
> > stopped the kerberos service ( --uninstall switch didn't stop it. I
> > thought it should set it back to old state )
> > yum update ( 1.0.6 version came out over the weekend for FC-9 )
> > rebooted
> > ipa-server-install --setup-bind -N
>
> Yes, this should be fixed in the tip.
>
> [ snip ]
>
> > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
> krb5kdc[1758](info): set up 4 sockets
> > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
> krb5kdc[1759](info): commencing operation
> > May 19 09:32:02 freeIPA.test.net <http://freeIPA.test.net>
> krb5kdc[1759](info): AS_REQ (7 etypes
> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>:
> NEEDED_PREAUTH: admin at TEST.NET <mailto:admin at TEST.NET> for
> > krbtgt/TEST.NET <http://TEST.NET>@TEST.NET <http://TEST.NET>,
> Additional pre-authentication required
> > May 19 09:32:24 freeIPA.test.net <http://freeIPA.test.net>
> krb5kdc[1759](info): AS_REQ (7 etypes
> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>: ISSUE:
> authtime 1211203944, etypes
> > {rep=18 tkt=18 ses=18}, admin at TEST.NET <mailto:admin at TEST.NET>
> for krbtgt/TEST.NET <http://TEST.NET>@TEST.NET <http://TEST.NET>
> > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
> krb5kdc[1759](info): TGS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>:
> UNKNOWN_SERVER: authtime
> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET> for
> HTTP/freeipa.test.net <http://freeipa.test.net>@TEST.NET
> <http://TEST.NET>, Server
> > not found in Kerberos database
> > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
> krb5kdc[1759](info): TGS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>:
> UNKNOWN_SERVER: authtime
> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET> for
> HTTP/freeipa.test.net <http://freeipa.test.net>@TEST.NET
> <http://TEST.NET>, Server
> > not found in Kerberos database
>
> Service principals are created for the IPA servers at install time.
> There must be some (perhaps subtle) difference in what was created at
> install time and what it is trying to use.
>
> Try this command to see what service principals exist:
>
> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"
> objectclass=krbPrincipalAux dn
>
> rob
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3245 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin
>
> ------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> End of Freeipa-devel Digest, Vol 12, Issue 33
> *********************************************
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Dmitri Pal
Engineering Manager
Red Hat Inc.
More information about the Freeipa-devel
mailing list