<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 05/14/2012 05:25 PM, Chandan Kumar wrote:
<blockquote
cite="mid:CAD=CKMDscD1e3=CjmggoBijxs5Rep3c_xUsGYAi_JzOoz-MYZg@mail.gmail.com"
type="cite"><br>
System: Centos 6.2 <br>
IPA version : ipa-server-2.1.3-9.el6.x86_64<br>
<br>
<br clear="all">
Thanks<br>
Chandan<br>
<br>
<br>
</blockquote>
<br>
I am not sure but seems like something is not properly configured
with the browser.<br>
I do not remember seeing SPNEGO in the GSSAPI negotiation in this
flow on a working configuration.<br>
But I will defer to experts.<br>
<br>
<blockquote
cite="mid:CAD=CKMDscD1e3=CjmggoBijxs5Rep3c_xUsGYAi_JzOoz-MYZg@mail.gmail.com"
type="cite"><br>
<br>
<br>
<div class="gmail_quote">On Mon, May 14, 2012 at 2:21 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div>
<div class="h5"> On 05/14/2012 05:09 PM, Chandan Kumar
wrote:
<blockquote type="cite">I am a newbie in IPA and was
experimenting it on my couple of VMs before
considering it for production level.<br>
<br>
Installation went fine, however, I am getting the
kerberos key expiration error at firefox. I am running
firefox on the same machine where I have
installed/configured ipa-server. On googling and some
help in IRC I checked documentation to trouble shoot
it as this appear to be a known problem. <br>
<br>
Moreover, I did follow<br>
<br>
<a moz-do-not-send="true"
href="http://freeipa.org/page/InstallAndDeploy"
target="_blank">http://freeipa.org/page/InstallAndDeploy</a><br>
<a moz-do-not-send="true"
href="http://freeipa.org/page/TroubleshootingGuide"
target="_blank">http://freeipa.org/page/TroubleshootingGuide</a><br>
<br>
Fire fox logs<br>
<br>
1977841888[7fc789f5b040]: leaving
nsAuthGSSAPI::GetNextToken [rv=80004005]<br>
-1977841888[7fc789f5b040]: using REQ_DELEGATE<br>
-1977841888[7fc789f5b040]: service = <a
moz-do-not-send="true"
href="http://ipaserver.example.com" target="_blank">ipaserver.example.com</a><br>
-1977841888[7fc789f5b040]: using negotiate-gss<br>
-1977841888[7fc789f5b040]: entering
nsAuthGSSAPI::nsAuthGSSAPI()<br>
-1977841888[7fc789f5b040]: entering
nsAuthGSSAPI::Init()<br>
-1977841888[7fc789f5b040]:
nsHttpNegotiateAuth::GenerateCredentials()
[challenge=Negotiate]<br>
-1977841888[7fc789f5b040]: entering
nsAuthGSSAPI::GetNextToken()<br>
-1977841888[7fc789f5b040]: gss_init_sec_context()
failed: Unspecified GSS failure. Minor code may
provide more information<br>
SPNEGO cannot find mechanisms to negotiate<br>
-1977841888[7fc789f5b040]: leaving
nsAuthGSSAPI::GetNextToken [rv=80004005]<br>
<br>
[root@ds var]# klist<br>
Ticket cache: <a moz-do-not-send="true">FILE:/tmp/krb5cc_0</a><br>
Default principal: <a moz-do-not-send="true"
href="mailto:admin@EXAMPLE.COM" target="_blank">admin@EXAMPLE.COM</a><br>
<br>
Valid starting Expires Service
principal<br>
05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/<a
moz-do-not-send="true"
href="mailto:EXAMPLE.COM@EXAMPLE.COM"
target="_blank">EXAMPLE.COM@EXAMPLE.COM</a><br>
05/14/12 13:53:58 05/15/12 13:50:30 HTTP/<a
moz-do-not-send="true"
href="mailto:ipaserver.example.com@EXAMPLE.COM"
target="_blank">ipaserver.example.com@EXAMPLE.COM</a><br>
05/14/12 13:54:13 05/15/12 13:50:30 ldap/<a
moz-do-not-send="true"
href="mailto:ipaserver.example.com@EXAMPLE.COM"
target="_blank">ipaserver.example.com@EXAMPLE.COM</a><br>
[root@ds var]# <br>
<br>
Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com"
uid=admin<br>
<br>
at <a moz-do-not-send="true"
href="http://fpaste.org/9hXX/" target="_blank">http://fpaste.org/9hXX/</a><br>
<br>
I am not sure what I am missing though. Appreciate any
help.<br>
<br clear="all">
Thanks<br>
Chandan<br>
<br>
<br>
<br>
</blockquote>
<br>
</div>
</div>
Are you running FF on windows?<br>
Which version of IPA are you using?<br>
<br>
<br>
<blockquote type="cite">
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>