Hello Rob,<br><br>I tried both the Windows command line and the MIT client. Currently, with the MIT client I get the error: Cannot resolve network address for KDC in requested realm. <br><br>I tried to troubleshoot via the help pages, but I was unable to get past this problem. On the local machine, I can get a ticket via the command line. I am running this in a virtual machine, and I have disabled SELinux and iptables so I don't know if something else could be restricting communication. <br> <br>Thanks for your help!<br><br>-Mark<br><br><div class="gmail_quote">On Mon, May 19, 2008 at 6:57 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="Ih2E3d">Mark Christiansen wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hello Dmitri,<br> <br> I filed a bug (447440) for the documentation recommendation. I also filed a 2nd bug (447445) to fix the link to Microsoft's web page for Kerberos Authentication help, which is currently giving a "Content not found" page.<br> <br> If I do a kinit on a Windows machine (which most of the potential end users will likely use), I get the error:<br> kinit(v5): Cannot resolve network address for KDC in realm ___ while getting initial credentials<br> </blockquote> <br></div> Are you using the native Microsoft kerberos client or the MIT client? I don't believe IPA will interoperate with the native windows client.<div class="Ih2E3d"><br> <br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> I also added the realm to the about:config page for Mozilla, and added the site as a trusted site within IE. However, for IE I have it so that the page prompts for user name and password, but it doesn't prompt me, gives me a certificate error, and even if I continue with the bad certificate, the page comes up with nothing. <br> Just to understand this better, but once either firefox or IE is configured properly, the web page should allow an end user to get a ticket, right? I am hoping that command line use will not be necessary. <br> </blockquote> <br></div> You have to get the ticket before Firefox or IE will work. Firefox/IE, if properly configured, will be able to present the ticket as your credentials so you don't have to type a username/password in to authenticate.<br> <br> rob<br> <br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"> <br> Thanks for your help and suggestions!<br> <br> -Mark<br> <br></div><div><div></div><div class="Wj3C7c"> On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a> <mailto:<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>> wrote:<br> <br> Hi Mark,<br> <br> Thank you for sharing the recommendation with us.<br> Can you please log a request into bugzilla?<br> <br> <a href="https://bugzilla.redhat.com" target="_blank">https://bugzilla.redhat.com</a><br> <br> Did you do kinit first?<br> Did you add the realm into the FireFox configuration?<br> <br> Thank you<br> Dmitri Pal<br> <br> <br> Mark Christiansen wrote:<br> <br> I fixed my problems with ipa* functions by modifying /etc/hosts<br> so that my FQDN entry is first, and the localhost entry is not<br> first. I am guessing this is where most other people will have<br> their problems. Can we modify the FAQ to include this<br> recommendation?<br> <br> I am having issues getting access to the web page outside of the<br> machine with freeipa installed. Should I be able to get a<br> ticket by accessing the web interface? In both IE and Firefox,<br> I am unable to bring up any pages after getting prompted. In<br> IE, it is blank, and Firefox I get Kerberos authentication<br> failed. This is another noob question, but perhaps it will be<br> helpful for the FAQ. My O'Reilly book on Kerberos is on its<br> way. :)<br> <br> Thanks!<br> <br> -Mark<br> <br> On Mon, May 19, 2008 at 9:00 AM,<br> <<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>><br> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>>>> wrote:<br> <br> Send Freeipa-devel mailing list submissions to<br> <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><br></div></div> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>><div class="Ih2E3d"> <br> <br> <br> To subscribe or unsubscribe via the World Wide Web, visit<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br> or, via email, send a message with subject or body 'help' to<br> <a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>><br></div><div class="Ih2E3d"> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br></div><div class="Ih2E3d"> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>>><br> <br> <br> You can reach the person managing the list at<br> <a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a><br> <mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a>><br> <mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a><br> <mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a>>><br> <br> <br> When replying, please edit your Subject line so it is more<br> specific<br> than "Re: Contents of Freeipa-devel digest..."<br> <br> <br> Today's Topics:<br> <br> 1. Re: freeIPA + Fedora 9 + xen , can't get passed<br> ipa-finduser<br> admin (Rob Crittenden)<br> <br> <br> ----------------------------------------------------------------------<br> <br> Message: 1<br> Date: Mon, 19 May 2008 11:39:45 -0400<br> From: Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>><br></div> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>>><div class="Ih2E3d"><br> <br> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get<br> passed ipa-finduser admin<br> To: Jaakan Shorter <<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a><br> <mailto:<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a>><br></div> <mailto:<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a><div class="Ih2E3d"><br> <mailto:<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a>>>><br> Cc: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><br></div> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>><div><div> </div><div class="Wj3C7c"><br> <br> Message-ID: <<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a><br> <mailto:<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a>><br> <mailto:<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a><br> <mailto:<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a>>>><br> <br> Content-Type: text/plain; charset="iso-8859-1"<br> <br> Jaakan Shorter wrote:<br> > here's an update ( I replaced the domain name with test )<br> > let me know if you need anymore info<br> ><br> > ipa-server-install --uninstall<br> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab<br> > stopped the kerberos service ( --uninstall switch didn't<br> stop it. I<br> > thought it should set it back to old state )<br> > yum update ( 1.0.6 version came out over the weekend for FC-9 )<br> > rebooted<br> > ipa-server-install --setup-bind -N<br> <br> Yes, this should be fixed in the tip.<br> <br> [ snip ]<br> <br> > May 19 09:31:08 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <br> krb5kdc[1758](info): set up 4 sockets<br> > May 19 09:31:08 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <br> krb5kdc[1759](info): commencing operation<br> > May 19 09:32:02 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <br> krb5kdc[1759](info): AS_REQ (7 etypes<br> > {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>><br> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<br> NEEDED_PREAUTH: <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>><br></div></div> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>> for<div class="Ih2E3d"><br> > krbtgt/<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br></div> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>,<div class="Ih2E3d"> <br> Additional pre-authentication required<br> > May 19 09:32:24 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br></div><div class="Ih2E3d"> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <br> krb5kdc[1759](info): AS_REQ (7 etypes<br> > {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>><br></div><div class="Ih2E3d"> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>: ISSUE:<br> authtime 1211203944, etypes<br> > {rep=18 tkt=18 ses=18}, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a><br></div> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a><div class="Ih2E3d"><br> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>><br> for krbtgt/<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br></div> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><div class="Ih2E3d"> <br> > May 19 09:32:54 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <br> krb5kdc[1759](info): TGS_REQ (7<br> > etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a><br></div> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<div class="Ih2E3d"><br> UNKNOWN_SERVER: authtime<br> > 1211203944, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>><br></div> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>> for<div class="Ih2E3d"><br> HTTP/<a href="http://freeipa.test.net" target="_blank">freeipa.test.net</a> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>><br> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>, Server<br> <br> > not found in Kerberos database<br> > May 19 09:32:54 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br></div><div class="Ih2E3d"> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><br> <br> krb5kdc[1759](info): TGS_REQ (7<br> > etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a><br></div> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<div class="Ih2E3d"><br> UNKNOWN_SERVER: authtime<br> > 1211203944, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>><br></div> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>>> for<div class="Ih2E3d"><br> HTTP/<a href="http://freeipa.test.net" target="_blank">freeipa.test.net</a> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>><br> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br> </div><div class="Ih2E3d"> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>, Server<br> <br> > not found in Kerberos database<br> <br> Service principals are created for the IPA servers at install<br> time.<br> There must be some (perhaps subtle) difference in what was<br> created at<br> install time and what it is trying to use.<br> <br> Try this command to see what service principals exist:<br> <br> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"<br> objectclass=krbPrincipalAux dn<br> <br> rob<br> -------------- next part --------------<br> A non-text attachment was scrubbed...<br> Name: smime.p7s<br> Type: application/x-pkcs7-signature<br> Size: 3245 bytes<br> Desc: S/MIME Cryptographic Signature<br> Url :<br> <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin</a><br> </div></blockquote> <br> </blockquote></div><br>