Hi Rob,<br><br>It turns out that this fixed my Windows client:<br><br><pre> network.auth.use-sspi false<br><br><br></pre>However, my Linux (RHEL5) browser still doesn't connect. <br><br>I can file a bug to add the above line to ssbrowser.html. I am still confused as to what could be going on with my Linux machine. <br>
<br>Cheers!<br><br>-Mark<br><br><div class="gmail_quote">On Mon, Jun 9, 2008 at 10:34 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">Mark Christiansen wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Simo,<br>
<br>
Yes, I can get a kerberos ticket on both Windows and Linux clients. I am able to configure a browser on the machine with FreeIPA and use its web interface, but I am unable to do the same on the clients. <br>
Thanks for your suggestions!<br>
</blockquote>
<br></div>
Are you configuring your browser according to:<br>
<a href="http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser" target="_blank">http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser</a><br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
-Mark<div class="Ih2E3d"><br>
<br>
On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce <<a href="mailto:ssorce@redhat.com" target="_blank">ssorce@redhat.com</a> <mailto:<a href="mailto:ssorce@redhat.com" target="_blank">ssorce@redhat.com</a>>> wrote:<br>
<br>
Can you get a kerberos ticket on the clients?<br>
If not, what error do you get ?<br>
<br>
Simo.<br>
<br>
On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote:<br>
> Hello everyone,<br>
><br>
> Recently I sent an e-mail because I couldn't get access to freeipa on<br>
> any machine other than the one with freeipa installed. I reinstalled<br>
> the MIT Kerberos client, and am now able to authenticate on a Windows<br>
> machine. However, I can still not get the webpage to display on<br>
> either a Windows or a Linux platform (other than the virtual machine<br>
> freeIPA is installed on). I have reinstalled several times, and<br>
don't<br>
> know what I could be missing. All of my machines are on one subnet,<br>
> and I temporarily disabled firewalls to see if that could be the<br>
> issue.<br>
><br>
> Thanks for any tips!<br>
><br>
> -Mark<br>
><br>
> On Sat, Jun 7, 2008 at 9:00 AM, <<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br></div>
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>>><div class="Ih2E3d"><br>
> wrote:<br>
> Send Freeipa-devel mailing list submissions to<br>
> <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br></div>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><div class="Ih2E3d"><br>
><br>
> To subscribe or unsubscribe via the World Wide Web, visit<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
> or, via email, send a message with subject or body 'help' to<br>
> <a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br></div>
<mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>><div class="Ih2E3d"><br>
><br>
> You can reach the person managing the list at<br>
> <a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a><br></div>
<mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a>><div class="Ih2E3d"><br>
><br>
> When replying, please edit your Subject line so it is more<br>
> specific<br>
> than "Re: Contents of Freeipa-devel digest..."<br>
><br>
><br>
> Today's Topics:<br>
><br>
> 1. Re: [PATCH] be clearer about what is being configured<br>
> (Rob Crittenden)<br>
> 2. AD and freeIPA synch (Karl Wirth)<br>
> 3. Re: AD and freeIPA synch (Rich Megginson)<br>
><br>
><br>
> ----------------------------------------------------------------------<br>
><br>
> Message: 1<br>
> Date: Fri, 06 Jun 2008 15:27:21 -0400<br>
> From: Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></div>
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>><div class="Ih2E3d"><br>
> Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is<br>
> being<br>
> configured<br>
> To: freeipa-devel <<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br></div>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>><div class="Ih2E3d"><br>
> Message-ID: <<a href="mailto:48498F99.5090903@redhat.com" target="_blank">48498F99.5090903@redhat.com</a><br></div>
<mailto:<a href="mailto:48498F99.5090903@redhat.com" target="_blank">48498F99.5090903@redhat.com</a>>><div class="Ih2E3d"><br>
> Content-Type: text/plain; charset="iso-8859-1"<br>
><br>
> Skipped content of type multipart/mixed-------------- next<br>
> part --------------<br>
> A non-text attachment was scrubbed...<br>
> Name: smime.p7s<br>
> Type: application/x-pkcs7-signature<br>
> Size: 3245 bytes<br>
> Desc: S/MIME Cryptographic Signature<br>
> Url :<br>
> <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin</a><br>
><br>
> ------------------------------<br>
><br>
> Message: 2<br>
> Date: Fri, 06 Jun 2008 15:32:29 -0400<br>
> From: Karl Wirth <<a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a><br></div>
<mailto:<a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a>>><div class="Ih2E3d"><br>
> Subject: [Freeipa-devel] AD and freeIPA synch<br>
> To: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br></div>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>, <a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a>><div class="Ih2E3d"><br>
> Message-ID: <<a href="mailto:484990CD.30206@redhat.com" target="_blank">484990CD.30206@redhat.com</a><br></div>
<mailto:<a href="mailto:484990CD.30206@redhat.com" target="_blank">484990CD.30206@redhat.com</a>>><div><div></div><div class="Wj3C7c"><br>
> Content-Type: text/plain; charset=ISO-8859-1<br>
><br>
> Hello,<br>
><br>
> Many organizations have given feedback that they want to make<br>
> sure that<br>
> freeIPA can synch with AD. We want to provide more than what<br>
> is<br>
> available in the winsynch that is in fedora directory server.<br>
> Here are<br>
> my thoughts on what the features should be in this area. I<br>
> would love<br>
> your feedback. Does this sound right? What is missing?<br>
> Longerterm, we<br>
> hope to enable kerberos trust between AD and IPA but even<br>
then<br>
> some<br>
> folks will want synch as well. Thoughts?<br>
><br>
> AD and freeIPA synch requirements ---proposal for your review<br>
> and feedback<br>
><br>
> 1. Keep password in AD same as PW in IPA<br>
> - If changed in AD, bring change over to IPA<br>
> - If changed in IPA, bring change over to AD<br>
><br>
> 2. Synch userid and attributes<br>
> - Configurable which attributes<br>
> - If full posix available then make this available<br>
> - Configurable translation between attributes (i.e transform<br>
> data such<br>
> as middle name length or whatever)<br>
> - Configurable mapping between attribute names<br>
> - Generate attributes if not present in AD with flexible<br>
rules<br>
> for doing<br>
> this and vice versa<br>
><br>
> 3. Which subsets of users to keep in synch<br>
> - Make it possible to define which AD/IPA users should be<br>
kept<br>
> in synch<br>
><br>
> 4. Topology<br>
> - Password synch is only supported with 1 AD domain. Not<br>
> multiple.<br>
> - Identity/attribute synch is supported across multiple<br>
> domains.<br>
> ---If the same user is in multiple domains, there is a<br>
problem<br>
> ---- Not<br>
> supported<br>
> ---If the same userid in different domains but different<br>
user,<br>
> resolve<br>
> - Need to support PW change on any IPA server<br>
> - Need to support PW change on an AD server<br>
><br>
> 5. Failover<br>
> - Support for failover AD DC<br>
> - Support for failover IPA<br>
><br>
> 6. Install and Packaging<br>
> - Separate install of synch tool<br>
> - Preconfigured synch tool with easy to point to IPA and AD<br>
> - Predefined<br>
> - Requires passsynch on domain controllers<br>
> - Proposal 1: Requires password to only change on AD.<br>
> Probably not ok.<br>
> - Proposal 2: Make changes to IPA to hand PW to AD<br>
><br>
> 7. Groups.<br>
> Allow four options that an administrator can choose between:<br>
> - One option: Synchronize all users from AD into one IPA<br>
group<br>
> - Second option: Synchronize all users according to filter<br>
> defined in #3<br>
> above and bring along all of their groups and keep their<br>
> memberships in<br>
> them.<br>
> - Third option: No group synch at all<br>
> - Fourth option: No support for nested groups<br>
><br>
> Best regards,<br>
> Karl<br>
><br>
><br>
><br>
> ------------------------------<br>
><br>
> Message: 3<br>
> Date: Fri, 06 Jun 2008 13:38:50 -0600<br>
> From: Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a><br></div></div>
<mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>><div class="Ih2E3d"><br>
> Subject: Re: [Freeipa-devel] AD and freeIPA synch<br></div>
> To: <a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a> <mailto:<a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a>><div class="Ih2E3d"><br>
> Cc: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a><br></div>
<mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>, <a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a><br>
<mailto:<a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a>><div class="Ih2E3d"><br>
> Message-ID: <<a href="mailto:4849924A.40303@redhat.com" target="_blank">4849924A.40303@redhat.com</a><br></div>
<mailto:<a href="mailto:4849924A.40303@redhat.com" target="_blank">4849924A.40303@redhat.com</a>>><div><div></div><div class="Wj3C7c"><br>
> Content-Type: text/plain; charset="iso-8859-1"<br>
><br>
> Karl Wirth wrote:<br>
> > Hello,<br>
> ><br>
> > Many organizations have given feedback that they want to<br>
> make sure that<br>
> > freeIPA can synch with AD. We want to provide more than<br>
> what is<br>
> > available in the winsynch that is in fedora directory<br>
> server. Here are<br>
> > my thoughts on what the features should be in this area. I<br>
> would love<br>
> > your feedback. Does this sound right? What is missing?<br>
> Longerterm, we<br>
> > hope to enable kerberos trust between AD and IPA but even<br>
> then some<br>
> > folks will want synch as well. Thoughts?<br>
> ><br>
> > AD and freeIPA synch requirements ---proposal for your<br>
> review and feedback<br>
> ><br>
> > 1. Keep password in AD same as PW in IPA<br>
> > - If changed in AD, bring change over to IPA<br>
> > - If changed in IPA, bring change over to AD<br>
> ><br>
> One problem with this is password policy - min length,<br>
> complexity,<br>
> history, etc. How to sync password policy between IPA<br>
and AD?<br>
> > 2. Synch userid and attributes<br>
> > - Configurable which attributes<br>
> > - If full posix available then make this available<br>
> > - Configurable translation between attributes (i.e<br>
transform<br>
> data such<br>
> > as middle name length or whatever)<br>
> > - Configurable mapping between attribute names<br>
> > - Generate attributes if not present in AD with flexible<br>
> rules for doing<br>
> > this and vice versa<br>
> ><br>
> > 3. Which subsets of users to keep in synch<br>
> > - Make it possible to define which AD/IPA users should be<br>
> kept in synch<br>
> ><br>
> > 4. Topology<br>
> > - Password synch is only supported with 1 AD domain. Not<br>
> multiple.<br>
> > - Identity/attribute synch is supported across multiple<br>
> domains.<br>
> > ---If the same user is in multiple domains, there is a<br>
> problem ---- Not<br>
> > supported<br>
> > ---If the same userid in different domains but different<br>
> user, resolve<br>
> > - Need to support PW change on any IPA server<br>
> > - Need to support PW change on an AD server<br>
> ><br>
> Support for uni-directional sync - many Fedora DS users have<br>
> asked for<br>
> the ability to sync changes only from Fedora DS to AD, or<br>
vice<br>
> versa,<br>
> but not both ways. Or perhaps uni-directional for passwords<br>
> (due to<br>
> password policy) and bi-di for other data.<br>
> > 5. Failover<br>
> > - Support for failover AD DC<br>
> > - Support for failover IPA<br>
> ><br>
> > 6. Install and Packaging<br>
> > - Separate install of synch tool<br>
> > - Preconfigured synch tool with easy to point to IPA and AD<br>
> > - Predefined<br>
> > - Requires passsynch on domain controllers<br>
> > - Proposal 1: Requires password to only change on AD.<br>
> Probably not ok.<br>
> > - Proposal 2: Make changes to IPA to hand PW to AD<br>
> ><br>
> > 7. Groups.<br>
> > Allow four options that an administrator can choose<br>
between:<br>
> > - One option: Synchronize all users from AD into one IPA<br>
> group<br>
> > - Second option: Synchronize all users according to filter<br>
> defined in #3<br>
> > above and bring along all of their groups and keep their<br>
> memberships in<br>
> > them.<br>
> > - Third option: No group synch at all<br>
> > - Fourth option: No support for nested groups<br>
> ><br>
> Support for AD memberOf (if not already fully supported by<br>
> ipa-memberof).<br>
> > Best regards,<br>
> > Karl<br>
> ><br>
> > _______________________________________________<br>
> > Freeipa-devel mailing list<br></div></div>
> > <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <mailto:<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>><div class="Ih2E3d">
<br>
> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
> ><br>
><br>
> -------------- next part --------------<br>
> A non-text attachment was scrubbed...<br>
> Name: smime.p7s<br>
> Type: application/x-pkcs7-signature<br>
> Size: 3245 bytes<br>
> Desc: S/MIME Cryptographic Signature<br>
> Url :<br>
> <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin</a><br>
><br>
> ------------------------------<br>
><br>
> _______________________________________________<br>
> Freeipa-devel mailing list<br></div>
> <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <mailto:<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>><div class="Ih2E3d">
<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
><br>
> End of Freeipa-devel Digest, Vol 13, Issue 11<br>
> *********************************************<br>
><br>
> _______________________________________________<br>
> Freeipa-devel mailing list<br></div>
> <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <mailto:<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>><div class="Ih2E3d"><br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
<br>
<br></div>
------------------------------------------------------------------------<div class="Ih2E3d"><br>
<br>
_______________________________________________<br>
Freeipa-devel mailing list<br>
<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
</div></blockquote>
<br>
</blockquote></div><br>