[Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33
Rob Crittenden
rcritten at redhat.com
Tue May 20 01:57:50 UTC 2008
Mark Christiansen wrote:
> Hello Dmitri,
>
> I filed a bug (447440) for the documentation recommendation. I also
> filed a 2nd bug (447445) to fix the link to Microsoft's web page for
> Kerberos Authentication help, which is currently giving a "Content not
> found" page.
>
> If I do a kinit on a Windows machine (which most of the potential end
> users will likely use), I get the error:
> kinit(v5): Cannot resolve network address for KDC in realm ___ while
> getting initial credentials
Are you using the native Microsoft kerberos client or the MIT client? I
don't believe IPA will interoperate with the native windows client.
> I also added the realm to the about:config page for Mozilla, and added
> the site as a trusted site within IE. However, for IE I have it so that
> the page prompts for user name and password, but it doesn't prompt me,
> gives me a certificate error, and even if I continue with the bad
> certificate, the page comes up with nothing.
>
> Just to understand this better, but once either firefox or IE is
> configured properly, the web page should allow an end user to get a
> ticket, right? I am hoping that command line use will not be necessary.
You have to get the ticket before Firefox or IE will work. Firefox/IE,
if properly configured, will be able to present the ticket as your
credentials so you don't have to type a username/password in to
authenticate.
rob
>
> Thanks for your help and suggestions!
>
> -Mark
>
> On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> Hi Mark,
>
> Thank you for sharing the recommendation with us.
> Can you please log a request into bugzilla?
>
> https://bugzilla.redhat.com
>
> Did you do kinit first?
> Did you add the realm into the FireFox configuration?
>
> Thank you
> Dmitri Pal
>
>
> Mark Christiansen wrote:
>
> I fixed my problems with ipa* functions by modifying /etc/hosts
> so that my FQDN entry is first, and the localhost entry is not
> first. I am guessing this is where most other people will have
> their problems. Can we modify the FAQ to include this
> recommendation?
>
> I am having issues getting access to the web page outside of the
> machine with freeipa installed. Should I be able to get a
> ticket by accessing the web interface? In both IE and Firefox,
> I am unable to bring up any pages after getting prompted. In
> IE, it is blank, and Firefox I get Kerberos authentication
> failed. This is another noob question, but perhaps it will be
> helpful for the FAQ. My O'Reilly book on Kerberos is on its
> way. :)
>
> Thanks!
>
> -Mark
>
> On Mon, May 19, 2008 at 9:00 AM,
> <freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>
> <mailto:freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>>> wrote:
>
> Send Freeipa-devel mailing list submissions to
> freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>
> <mailto:freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>>
>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> or, via email, send a message with subject or body 'help' to
> freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>
> <mailto:freeipa-devel-request at redhat.com
> <mailto:freeipa-devel-request at redhat.com>>
>
>
> You can reach the person managing the list at
> freeipa-devel-owner at redhat.com
> <mailto:freeipa-devel-owner at redhat.com>
> <mailto:freeipa-devel-owner at redhat.com
> <mailto:freeipa-devel-owner at redhat.com>>
>
>
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Freeipa-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: freeIPA + Fedora 9 + xen , can't get passed
> ipa-finduser
> admin (Rob Crittenden)
>
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 19 May 2008 11:39:45 -0400
> From: Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>
> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>
> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get
> passed ipa-finduser admin
> To: Jaakan Shorter <jaakanshorter at gmail.com
> <mailto:jaakanshorter at gmail.com>
> <mailto:jaakanshorter at gmail.com
> <mailto:jaakanshorter at gmail.com>>>
> Cc: freeipa-devel at redhat.com
> <mailto:freeipa-devel at redhat.com>
> <mailto:freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>>
>
> Message-ID: <48319F41.7040707 at redhat.com
> <mailto:48319F41.7040707 at redhat.com>
> <mailto:48319F41.7040707 at redhat.com
> <mailto:48319F41.7040707 at redhat.com>>>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Jaakan Shorter wrote:
> > here's an update ( I replaced the domain name with test )
> > let me know if you need anymore info
> >
> > ipa-server-install --uninstall
> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab
> > stopped the kerberos service ( --uninstall switch didn't
> stop it. I
> > thought it should set it back to old state )
> > yum update ( 1.0.6 version came out over the weekend for FC-9 )
> > rebooted
> > ipa-server-install --setup-bind -N
>
> Yes, this should be fixed in the tip.
>
> [ snip ]
>
> > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
> <http://freeIPA.test.net>
>
> krb5kdc[1758](info): set up 4 sockets
> > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): commencing operation
> > May 19 09:32:02 freeIPA.test.net <http://freeIPA.test.net>
> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): AS_REQ (7 etypes
> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>
> <http://192.168.1.25>:
> NEEDED_PREAUTH: admin at TEST.NET <mailto:admin at TEST.NET>
> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
> > krbtgt/TEST.NET <http://TEST.NET>
> <http://TEST.NET>@TEST.NET <http://TEST.NET> <http://TEST.NET>,
> Additional pre-authentication required
> > May 19 09:32:24 freeIPA.test.net <http://freeIPA.test.net>
> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): AS_REQ (7 etypes
> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>
> <http://192.168.1.25>: ISSUE:
> authtime 1211203944, etypes
> > {rep=18 tkt=18 ses=18}, admin at TEST.NET
> <mailto:admin at TEST.NET> <mailto:admin at TEST.NET
> <mailto:admin at TEST.NET>>
> for krbtgt/TEST.NET <http://TEST.NET>
> <http://TEST.NET>@TEST.NET <http://TEST.NET> <http://TEST.NET>
> > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): TGS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 192.168.1.25
> <http://192.168.1.25> <http://192.168.1.25>:
> UNKNOWN_SERVER: authtime
> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET>
> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
> HTTP/freeipa.test.net <http://freeipa.test.net>
> <http://freeipa.test.net>@TEST.NET <http://TEST.NET>
> <http://TEST.NET>, Server
>
> > not found in Kerberos database
> > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
> <http://freeIPA.test.net>
>
> krb5kdc[1759](info): TGS_REQ (7
> > etypes {18 17 16 23 1 3 2}) 192.168.1.25
> <http://192.168.1.25> <http://192.168.1.25>:
> UNKNOWN_SERVER: authtime
> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET>
> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
> HTTP/freeipa.test.net <http://freeipa.test.net>
> <http://freeipa.test.net>@TEST.NET <http://TEST.NET>
> <http://TEST.NET>, Server
>
> > not found in Kerberos database
>
> Service principals are created for the IPA servers at install
> time.
> There must be some (perhaps subtle) difference in what was
> created at
> install time and what it is trying to use.
>
> Try this command to see what service principals exist:
>
> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"
> objectclass=krbPrincipalAux dn
>
> rob
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3245 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
>
> https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080519/79ca3abe/attachment.bin>
More information about the Freeipa-devel
mailing list