Hello Rob,<br><br>I tried both the Windows command line and the MIT client. Currently, with the MIT client I get the error: Cannot resolve network address for KDC in requested realm. <br><br>I tried to troubleshoot via the help pages, but I was unable to get past this problem. On the local machine, I can get a ticket via the command line. I am running this in a virtual machine, and I have disabled SELinux and iptables so I don't know if something else could be restricting communication. <br>
<br>Thanks for your help!<br><br>-Mark<br><br><div class="gmail_quote">On Mon, May 19, 2008 at 6:57 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">Mark Christiansen wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello Dmitri,<br>
<br>
I filed a bug (447440) for the documentation recommendation. I also filed a 2nd bug (447445) to fix the link to Microsoft's web page for Kerberos Authentication help, which is currently giving a "Content not found" page.<br>
<br>
If I do a kinit on a Windows machine (which most of the potential end users will likely use), I get the error:<br>
kinit(v5): Cannot resolve network address for KDC in realm ___ while getting initial credentials<br>
</blockquote>
<br></div>
Are you using the native Microsoft kerberos client or the MIT client? I don't believe IPA will interoperate with the native windows client.<div class="Ih2E3d"><br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I also added the realm to the about:config page for Mozilla, and added the site as a trusted site within IE. However, for IE I have it so that the page prompts for user name and password, but it doesn't prompt me, gives me a certificate error, and even if I continue with the bad certificate, the page comes up with nothing. <br>
Just to understand this better, but once either firefox or IE is configured properly, the web page should allow an end user to get a ticket, right? I am hoping that command line use will not be necessary. <br>
</blockquote>
<br></div>
You have to get the ticket before Firefox or IE will work. Firefox/IE, if properly configured, will be able to present the ticket as your credentials so you don't have to type a username/password in to authenticate.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">
<br>
Thanks for your help and suggestions!<br>
<br>
-Mark<br>
<br></div><div><div></div><div class="Wj3C7c">
On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a> <mailto:<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>> wrote:<br>
<br>
Hi Mark,<br>
<br>
Thank you for sharing the recommendation with us.<br>
Can you please log a request into bugzilla?<br>
<br>
<a href="https://bugzilla.redhat.com" target="_blank">https://bugzilla.redhat.com</a><br>
<br>
Did you do kinit first?<br>
Did you add the realm into the FireFox configuration?<br>
<br>
Thank you<br>
Dmitri Pal<br>
<br>
<br>
Mark Christiansen wrote:<br>
<br>
I fixed my problems with ipa* functions by modifying /etc/hosts<br>
so that my FQDN entry is first, and the localhost entry is not<br>
first. I am guessing this is where most other people will have<br>
their problems. Can we modify the FAQ to include this<br>
recommendation?<br>
<br>
I am having issues getting access to the web page outside of the<br>
machine with freeipa installed. Should I be able to get a<br>
ticket by accessing the web interface? In both IE and Firefox,<br>
I am unable to bring up any pages after getting prompted. In<br>
IE, it is blank, and Firefox I get Kerberos authentication<br>
failed. This is another noob question, but perhaps it will be<br>
helpful for the FAQ. My O'Reilly book on Kerberos is on its<br>
way. :)<br>
<br>
Thanks!<br>
<br>
-Mark<br>
<br>
On Mon, May 19, 2008 at 9:00 AM,<br>
<<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>><br>
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>>>> wrote:<br>
<br>
Send Freeipa-devel mailing list submissions to<br>
<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><br></div></div>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>><div class="Ih2E3d">
<br>
<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>><br></div><div class="Ih2E3d">
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br></div><div class="Ih2E3d">
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>>><br>
<br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a>><br>
<mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a>>><br>
<br>
<br>
When replying, please edit your Subject line so it is more<br>
specific<br>
than "Re: Contents of Freeipa-devel digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: freeIPA + Fedora 9 + xen , can't get passed<br>
ipa-finduser<br>
admin (Rob Crittenden)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Mon, 19 May 2008 11:39:45 -0400<br>
From: Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br></div>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>><div class="Ih2E3d"><br>
<br>
Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get<br>
passed ipa-finduser admin<br>
To: Jaakan Shorter <<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a><br>
<mailto:<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a>><br></div>
<mailto:<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a><div class="Ih2E3d"><br>
<mailto:<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a>>>><br>
Cc: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><br></div>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>><div><div>
</div><div class="Wj3C7c"><br>
<br>
Message-ID: <<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a><br>
<mailto:<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a>><br>
<mailto:<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a><br>
<mailto:<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a>>>><br>
<br>
Content-Type: text/plain; charset="iso-8859-1"<br>
<br>
Jaakan Shorter wrote:<br>
> here's an update ( I replaced the domain name with test )<br>
> let me know if you need anymore info<br>
><br>
> ipa-server-install --uninstall<br>
> rm -f /var/kerberos/krb5kdc/kpasswd.keytab<br>
> stopped the kerberos service ( --uninstall switch didn't<br>
stop it. I<br>
> thought it should set it back to old state )<br>
> yum update ( 1.0.6 version came out over the weekend for FC-9 )<br>
> rebooted<br>
> ipa-server-install --setup-bind -N<br>
<br>
Yes, this should be fixed in the tip.<br>
<br>
[ snip ]<br>
<br>
> May 19 09:31:08 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<br>
krb5kdc[1758](info): set up 4 sockets<br>
> May 19 09:31:08 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<br>
krb5kdc[1759](info): commencing operation<br>
> May 19 09:32:02 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<br>
krb5kdc[1759](info): AS_REQ (7 etypes<br>
> {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>><br>
<<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<br>
NEEDED_PREAUTH: <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>><br></div></div>
<mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>> for<div class="Ih2E3d"><br>
> krbtgt/<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br></div>
<<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>,<div class="Ih2E3d">
<br>
Additional pre-authentication required<br>
> May 19 09:32:24 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br></div><div class="Ih2E3d">
<<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<br>
krb5kdc[1759](info): AS_REQ (7 etypes<br>
> {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>><br></div><div class="Ih2E3d">
<<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>: ISSUE:<br>
authtime 1211203944, etypes<br>
> {rep=18 tkt=18 ses=18}, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a><br></div>
<mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a><div class="Ih2E3d"><br>
<mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>><br>
for krbtgt/<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br></div>
<<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><div class="Ih2E3d">
<br>
> May 19 09:32:54 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<br>
krb5kdc[1759](info): TGS_REQ (7<br>
> etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a><br></div>
<<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<div class="Ih2E3d"><br>
UNKNOWN_SERVER: authtime<br>
> 1211203944, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>><br></div>
<mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>> for<div class="Ih2E3d"><br>
HTTP/<a href="http://freeipa.test.net" target="_blank">freeipa.test.net</a> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>><br>
<<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br>
<<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>, Server<br>
<br>
> not found in Kerberos database<br>
> May 19 09:32:54 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br></div><div class="Ih2E3d">
<<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br>
<br>
krb5kdc[1759](info): TGS_REQ (7<br>
> etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a><br></div>
<<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<div class="Ih2E3d"><br>
UNKNOWN_SERVER: authtime<br>
> 1211203944, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>><br></div>
<mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>> for<div class="Ih2E3d"><br>
HTTP/<a href="http://freeipa.test.net" target="_blank">freeipa.test.net</a> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>><br>
<<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br>
</div><div class="Ih2E3d">
<<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>, Server<br>
<br>
> not found in Kerberos database<br>
<br>
Service principals are created for the IPA servers at install<br>
time.<br>
There must be some (perhaps subtle) difference in what was<br>
created at<br>
install time and what it is trying to use.<br>
<br>
Try this command to see what service principals exist:<br>
<br>
$ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"<br>
objectclass=krbPrincipalAux dn<br>
<br>
rob<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: smime.p7s<br>
Type: application/x-pkcs7-signature<br>
Size: 3245 bytes<br>
Desc: S/MIME Cryptographic Signature<br>
Url :<br>
<a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin</a><br>
</div></blockquote>
<br>
</blockquote></div><br>