[Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33
Dmitri Pal
dpal at redhat.com
Mon May 19 23:03:36 UTC 2008
Hi Mark,
Thank you for the submission of the bugs.
We will see what can be done and come back to you with suggestions.
Thank you
Dmitri
Mark Christiansen wrote:
> Hello Dmitri,
>
> I filed a bug (447440) for the documentation recommendation. I also
> filed a 2nd bug (447445) to fix the link to Microsoft's web page for
> Kerberos Authentication help, which is currently giving a "Content not
> found" page.
>
> If I do a kinit on a Windows machine (which most of the potential end
> users will likely use), I get the error:
> kinit(v5): Cannot resolve network address for KDC in realm ___ while
> getting initial credentials
>
> I also added the realm to the about:config page for Mozilla, and added
> the site as a trusted site within IE. However, for IE I have it so
> that the page prompts for user name and password, but it doesn't
> prompt me, gives me a certificate error, and even if I continue with
> the bad certificate, the page comes up with nothing.
>
> Just to understand this better, but once either firefox or IE is
> configured properly, the web page should allow an end user to get a
> ticket, right? I am hoping that command line use will not be necessary.
>
> Thanks for your help and suggestions!
>
> -Mark
>
> On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> Hi Mark,
>
> Thank you for sharing the recommendation with us.
> Can you please log a request into bugzilla?
>
> https://bugzilla.redhat.com
>
> Did you do kinit first?
> Did you add the realm into the FireFox configuration?
>
> Thank you
> Dmitri Pal
>
>
> Mark Christiansen wrote:
>
> I fixed my problems with ipa* functions by modifying
> /etc/hosts so that my FQDN entry is first, and the localhost
> entry is not first. I am guessing this is where most other
> people will have their problems. Can we modify the FAQ to
> include this recommendation?
>
> I am having issues getting access to the web page outside of
> the machine with freeipa installed. Should I be able to get a
> ticket by accessing the web interface? In both IE and
> Firefox, I am unable to bring up any pages after getting
> prompted. In IE, it is blank, and Firefox I get Kerberos
> authentication failed. This is another noob question, but
> perhaps it will be helpful for the FAQ. My O'Reilly book on
> Kerberos is on its way. :)
>
> Thanks!
>
> -Mark
>
> On Mon, May 19, 2008 at 9:00 AM,
> <freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>
> <mailto:freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>>> wrote:
>
> Send Freeipa-devel mailing list submissions to
> freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>
> <mailto:freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>>
>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> or, via email, send a message with subject or body 'help' to
> freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>
> <mailto:freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>>
>
>
> You can reach the person managing the list at
> freeipa-devel-owner at redhat.com
> <mailto:freeipa-devel-owner at redhat.com>
> <mailto:freeipa-devel-owner at redhat.com
> <mailto:freeipa-devel-owner at redhat.com>>
>
>
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Freeipa-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: freeIPA + Fedora 9 + xen , can't get passed
> ipa-finduser
> admin (Rob Crittenden)
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 19 May 2008 11:39:45 -0400
> From: Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>
> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen ,
> can't get
> passed ipa-finduser admin
> To: Jaakan Shorter <jaakanshorter at gmail.com
> <mailto:jaakanshorter at gmail.com>
> <mailto:jaakanshorter at gmail.com
> <mailto:jaakanshorter at gmail.com>>>
> Cc: freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>
> <mailto:freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>>
>
> Message-ID: <48319F41.7040707 at redhat.com
> <mailto:48319F41.7040707 at redhat.com>
> <mailto:48319F41.7040707 at redhat.com
> <mailto:48319F41.7040707 at redhat.com>>>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Jaakan Shorter wrote:
> > here's an update ( I replaced the domain name with test )
> > let me know if you need anymore info
> >
> > ipa-server-install --uninstall
> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab
> > stopped the kerberos service ( --uninstall switch didn't
> stop it. I
> > thought it should set it back to old state )
> > yum update ( 1.0.6 version came out over the weekend for
> FC-9 )
> > rebooted
> > ipa-server-install --setup-bind -N
>
> Yes, this should be fixed in the tip.
>
> [ snip ]
>
> > May 19 09:31:08 freeIPA.test.net
> <http://freeIPA.test.net> <http://freeIPA.test.net>
>
> krb5kdc[1758](info): set up 4 sockets
> > May 19 09:31:08 freeIPA.test.net
> <http://freeIPA.test.net> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): commencing operation
> > May 19 09:32:02 freeIPA.test.net
> <http://freeIPA.test.net> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): AS_REQ (7 etypes
> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>
> <http://192.168.1.25>:
> NEEDED_PREAUTH: admin at TEST.NET <mailto:admin at TEST.NET>
> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
> > krbtgt/TEST.NET <http://TEST.NET>
> <http://TEST.NET>@TEST.NET <http://TEST.NET> <http://TEST.NET>,
> Additional pre-authentication required
> > May 19 09:32:24 freeIPA.test.net
> <http://freeIPA.test.net> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): AS_REQ (7 etypes
> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>
> <http://192.168.1.25>: ISSUE:
> authtime 1211203944, etypes
> > {rep=18 tkt=18 ses=18}, admin at TEST.NET
> <mailto:admin at TEST.NET> <mailto:admin at TEST.NET
> <mailto:admin at TEST.NET>>
> for krbtgt/TEST.NET <http://TEST.NET>
> <http://TEST.NET>@TEST.NET <http://TEST.NET> <http://TEST.NET>
> > May 19 09:32:54 freeIPA.test.net
> <http://freeIPA.test.net> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): TGS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 192.168.1.25
> <http://192.168.1.25> <http://192.168.1.25>:
> UNKNOWN_SERVER: authtime
> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET>
> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
> HTTP/freeipa.test.net <http://freeipa.test.net>
> <http://freeipa.test.net>@TEST.NET <http://TEST.NET>
> <http://TEST.NET>, Server
>
> > not found in Kerberos database
> > May 19 09:32:54 freeIPA.test.net
> <http://freeIPA.test.net> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): TGS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 192.168.1.25
> <http://192.168.1.25> <http://192.168.1.25>:
> UNKNOWN_SERVER: authtime
> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET>
> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
> HTTP/freeipa.test.net <http://freeipa.test.net>
> <http://freeipa.test.net>@TEST.NET <http://TEST.NET>
> <http://TEST.NET>, Server
>
> > not found in Kerberos database
>
> Service principals are created for the IPA servers at
> install time.
> There must be some (perhaps subtle) difference in what was
> created at
> install time and what it is trying to use.
>
> Try this command to see what service principals exist:
>
> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"
> objectclass=krbPrincipalAux dn
>
> rob
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3245 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
>
> https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin
>
> ------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
> <mailto:Freeipa-devel at redhat.com
> <mailto:Freeipa-devel at redhat.com>>
>
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> End of Freeipa-devel Digest, Vol 12, Issue 33
> *********************************************
>
>
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>
>
> --
> Dmitri Pal
> Engineering Manager
> Red Hat Inc.
>
>
--
Dmitri Pal
Engineering Manager
Red Hat Inc.
More information about the Freeipa-devel
mailing list