Hi Rob, It turns out that this fixed my Windows client: <pre> network.auth.use-sspi false </pre>However, my Linux (RHEL5) browser still doesn't connect. I can file a bug to add the above line to ssbrowser.html. I am still confused as to what could be going on with my Linux machine. Cheers! -Mark <div class="gmail_quote">On Mon, Jun 9, 2008 at 10:34 AM, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <div class="Ih2E3d">Mark Christiansen wrote: <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hi Simo, Yes, I can get a kerberos ticket on both Windows and Linux clients. I am able to configure a browser on the machine with FreeIPA and use its web interface, but I am unable to do the same on the clients. Thanks for your suggestions! </blockquote> </div> Are you configuring your browser according to: <a href="http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser" target="_blank">http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser</a> rob <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> -Mark<div class="Ih2E3d"> On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce <<a href="mailto:ssorce@redhat.com" target="_blank">ssorce@redhat.com</a> <mailto:<a href="mailto:ssorce@redhat.com" target="_blank">ssorce@redhat.com</a>>> wrote: Can you get a kerberos ticket on the clients? If not, what error do you get ? Simo. On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote: > Hello everyone, > > Recently I sent an e-mail because I couldn't get access to freeipa on > any machine other than the one with freeipa installed. I reinstalled > the MIT Kerberos client, and am now able to authenticate on a Windows > machine. However, I can still not get the webpage to display on > either a Windows or a Linux platform (other than the virtual machine > freeIPA is installed on). I have reinstalled several times, and don't > know what I could be missing. All of my machines are on one subnet, > and I temporarily disabled firewalls to see if that could be the > issue. > > Thanks for any tips! > > -Mark > > On Sat, Jun 7, 2008 at 9:00 AM, <<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a> </div> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>>><div class="Ih2E3d"> > wrote: > Send Freeipa-devel mailing list submissions to > <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> </div> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><div class="Ih2E3d"> > > To subscribe or unsubscribe via the World Wide Web, visit > <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> > or, via email, send a message with subject or body 'help' to > <a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a> </div> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>><div class="Ih2E3d"> > > You can reach the person managing the list at > <a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a> </div> <mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a>><div class="Ih2E3d"> > > When replying, please edit your Subject line so it is more > specific > than "Re: Contents of Freeipa-devel digest..." > > > Today's Topics: > > 1. Re: [PATCH] be clearer about what is being configured > (Rob Crittenden) > 2. AD and freeIPA synch (Karl Wirth) > 3. Re: AD and freeIPA synch (Rich Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 06 Jun 2008 15:27:21 -0400 > From: Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a> </div> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>><div class="Ih2E3d"> > Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is > being > configured > To: freeipa-devel <<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> </div> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>><div class="Ih2E3d"> > Message-ID: <<a href="mailto:48498F99.5090903@redhat.com" target="_blank">48498F99.5090903@redhat.com</a> </div> <mailto:<a href="mailto:48498F99.5090903@redhat.com" target="_blank">48498F99.5090903@redhat.com</a>>><div class="Ih2E3d"> > Content-Type: text/plain; charset="iso-8859-1" > > Skipped content of type multipart/mixed-------------- next > part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin</a> > > ------------------------------ > > Message: 2 > Date: Fri, 06 Jun 2008 15:32:29 -0400 > From: Karl Wirth <<a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a> </div> <mailto:<a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a>>><div class="Ih2E3d"> > Subject: [Freeipa-devel] AD and freeIPA synch > To: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> </div> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>, <a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a> <mailto:<a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a>><div class="Ih2E3d"> > Message-ID: <<a href="mailto:484990CD.30206@redhat.com" target="_blank">484990CD.30206@redhat.com</a> </div> <mailto:<a href="mailto:484990CD.30206@redhat.com" target="_blank">484990CD.30206@redhat.com</a>>><div><div></div><div class="Wj3C7c"> > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > > Many organizations have given feedback that they want to make > sure that > freeIPA can synch with AD. We want to provide more than what > is > available in the winsynch that is in fedora directory server. > Here are > my thoughts on what the features should be in this area. I > would love > your feedback. Does this sound right? What is missing? > Longerterm, we > hope to enable kerberos trust between AD and IPA but even then > some > folks will want synch as well. Thoughts? > > AD and freeIPA synch requirements ---proposal for your review > and feedback > > 1. Keep password in AD same as PW in IPA > - If changed in AD, bring change over to IPA > - If changed in IPA, bring change over to AD > > 2. Synch userid and attributes > - Configurable which attributes > - If full posix available then make this available > - Configurable translation between attributes (i.e transform > data such > as middle name length or whatever) > - Configurable mapping between attribute names > - Generate attributes if not present in AD with flexible rules > for doing > this and vice versa > > 3. Which subsets of users to keep in synch > - Make it possible to define which AD/IPA users should be kept > in synch > > 4. Topology > - Password synch is only supported with 1 AD domain. Not > multiple. > - Identity/attribute synch is supported across multiple > domains. > ---If the same user is in multiple domains, there is a problem > ---- Not > supported > ---If the same userid in different domains but different user, > resolve > - Need to support PW change on any IPA server > - Need to support PW change on an AD server > > 5. Failover > - Support for failover AD DC > - Support for failover IPA > > 6. Install and Packaging > - Separate install of synch tool > - Preconfigured synch tool with easy to point to IPA and AD > - Predefined > - Requires passsynch on domain controllers > - Proposal 1: Requires password to only change on AD. > Probably not ok. > - Proposal 2: Make changes to IPA to hand PW to AD > > 7. Groups. > Allow four options that an administrator can choose between: > - One option: Synchronize all users from AD into one IPA group > - Second option: Synchronize all users according to filter > defined in #3 > above and bring along all of their groups and keep their > memberships in > them. > - Third option: No group synch at all > - Fourth option: No support for nested groups > > Best regards, > Karl > > > > ------------------------------ > > Message: 3 > Date: Fri, 06 Jun 2008 13:38:50 -0600 > From: Rich Megginson <<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a> </div></div> <mailto:<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>>><div class="Ih2E3d"> > Subject: Re: [Freeipa-devel] AD and freeIPA synch </div> > To: <a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a> <mailto:<a href="mailto:kwirth@redhat.com" target="_blank">kwirth@redhat.com</a>><div class="Ih2E3d"> > Cc: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> </div> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>>, <a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a> <mailto:<a href="mailto:freeipa-interest@redhat.com" target="_blank">freeipa-interest@redhat.com</a>><div class="Ih2E3d"> > Message-ID: <<a href="mailto:4849924A.40303@redhat.com" target="_blank">4849924A.40303@redhat.com</a> </div> <mailto:<a href="mailto:4849924A.40303@redhat.com" target="_blank">4849924A.40303@redhat.com</a>>><div><div></div><div class="Wj3C7c"> > Content-Type: text/plain; charset="iso-8859-1" > > Karl Wirth wrote: > > Hello, > > > > Many organizations have given feedback that they want to > make sure that > > freeIPA can synch with AD. We want to provide more than > what is > > available in the winsynch that is in fedora directory > server. Here are > > my thoughts on what the features should be in this area. I > would love > > your feedback. Does this sound right? What is missing? > Longerterm, we > > hope to enable kerberos trust between AD and IPA but even > then some > > folks will want synch as well. Thoughts? > > > > AD and freeIPA synch requirements ---proposal for your > review and feedback > > > > 1. Keep password in AD same as PW in IPA > > - If changed in AD, bring change over to IPA > > - If changed in IPA, bring change over to AD > > > One problem with this is password policy - min length, > complexity, > history, etc. How to sync password policy between IPA and AD? > > 2. Synch userid and attributes > > - Configurable which attributes > > - If full posix available then make this available > > - Configurable translation between attributes (i.e transform > data such > > as middle name length or whatever) > > - Configurable mapping between attribute names > > - Generate attributes if not present in AD with flexible > rules for doing > > this and vice versa > > > > 3. Which subsets of users to keep in synch > > - Make it possible to define which AD/IPA users should be > kept in synch > > > > 4. Topology > > - Password synch is only supported with 1 AD domain. Not > multiple. > > - Identity/attribute synch is supported across multiple > domains. > > ---If the same user is in multiple domains, there is a > problem ---- Not > > supported > > ---If the same userid in different domains but different > user, resolve > > - Need to support PW change on any IPA server > > - Need to support PW change on an AD server > > > Support for uni-directional sync - many Fedora DS users have > asked for > the ability to sync changes only from Fedora DS to AD, or vice > versa, > but not both ways. Or perhaps uni-directional for passwords > (due to > password policy) and bi-di for other data. > > 5. Failover > > - Support for failover AD DC > > - Support for failover IPA > > > > 6. Install and Packaging > > - Separate install of synch tool > > - Preconfigured synch tool with easy to point to IPA and AD > > - Predefined > > - Requires passsynch on domain controllers > > - Proposal 1: Requires password to only change on AD. > Probably not ok. > > - Proposal 2: Make changes to IPA to hand PW to AD > > > > 7. Groups. > > Allow four options that an administrator can choose between: > > - One option: Synchronize all users from AD into one IPA > group > > - Second option: Synchronize all users according to filter > defined in #3 > > above and bring along all of their groups and keep their > memberships in > > them. > > - Third option: No group synch at all > > - Fourth option: No support for nested groups > > > Support for AD memberOf (if not already fully supported by > ipa-memberof). > > Best regards, > > Karl > > > > _______________________________________________ > > Freeipa-devel mailing list </div></div> > > <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <mailto:<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>><div class="Ih2E3d"> > > <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : > <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin</a> > > ------------------------------ > > _______________________________________________ > Freeipa-devel mailing list </div> > <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <mailto:<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>><div class="Ih2E3d"> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> > > End of Freeipa-devel Digest, Vol 13, Issue 11 > ********************************************* > > _______________________________________________ > Freeipa-devel mailing list </div> > <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <mailto:<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>><div class="Ih2E3d"> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> -- Simo Sorce * Red Hat, Inc * New York </div> ------------------------------------------------------------------------<div class="Ih2E3d"> _______________________________________________ Freeipa-devel mailing list <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a> </div></blockquote> </blockquote></div>