<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/06/2015 09:26 AM, Dan Mossor
wrote:<br>
</div>
<blockquote
cite="mid:CAMobkEOjHHcPJVr7kdcTN=8ULT=2V9ZYC1nfYsWvwdAXw6tnsw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Mar 6, 2015 at 1:28 AM,
Martin Kosek <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">On 03/06/2015 02:38 AM, Dan Mossor wrote:<br>
</span>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><span
class="">
<br>
<br>
On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal <<a
moz-do-not-send="true" href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a><br>
</span>
<div>
<div class="h5">
<mailto:<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>>
wrote:<br>
<br>
<a moz-do-not-send="true"
href="http://i.imgur.com/mhX86Ng.png"
target="_blank">http://i.imgur.com/mhX86Ng.png</a><br>
<br>
It should show up if you do not have a ticket.
Destroy the ticket on the<br>
client and try to access the server via
browser, you should be redirected.<br>
<br>
--<br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IdM portfolio<br>
Red Hat, Inc.<br>
<br>
Ok then, that is the page that keeps returning. I've
tried from this<br>
workstation using Konquerer, which does not support
Kerberos, I've from from<br>
Internet Explorer on a Windows 7 Professional
desktop, and I've tried from a<br>
Fedora 21 system that is not enrolled in the domain.
I get the exact same<br>
response with every attempt.<br>
<br>
One additional step I attempted to take was to
change the admin password on the<br>
IPA server. I am getting a
ldap_sasl_interactive_bind_s: Unknown authentication<br>
method (-6) error back.<br>
<br>
I think this installation is hosed. I am ready to
wipe and start over from<br>
scratch tomorrow. I've already wasted 16 hours on
it.<br>
</div>
</div>
</blockquote>
<br>
Sorry to hear that. But I think you should start taking
gradual steps in your testing and trying to make Web UI
over GSSAPI work. I would suggest this procedure:<br>
<br>
1) Can I "kinit admin" and run CLI command ("ipa user-show
admin")? If yes, basic FreeIPA is functioning. Run
kdestroy to get rid of Kerberos.<br>
<br>
2) Can I login with form basic auth to my FreeIPA? If not,
did you verify all the items in <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI"
target="_blank">http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI</a>
? Did you try logging with form based auth in FreeIPA
public demo for example (user "admin", password
"Secret123"):<br>
<br>
<a moz-do-not-send="true"
href="https://ipa.demo1.freeipa.org/ipa/ui/"
target="_blank">https://ipa.demo1.freeipa.org/ipa/ui/</a><br>
<br>
If not, we can dig further. If yes, you can continue with
kinit + SSO for the Web UI.<br>
</blockquote>
</div>
<font face="monospace,monospace">Martin, Dmitri,<br>
<br>
</font></div>
<div class="gmail_extra"><font face="monospace,monospace">Thanks
for your help, but I've taken every step available on the
page you linked. I just checked this morning before I
started over, and on the server I can kinit as admin and run
ipa user-show admin. The ipa tools are not on my
workstation. I then ran kdestroy on both the server and
workstation, and the error remains when logging in to the
web UI - it returns me to the screen I showed above in the
link to the screenshot.<br>
<br>
</font></div>
<div class="gmail_extra"><font face="monospace,monospace">Regards,<br>
</font></div>
<div class="gmail_extra"><font face="monospace,monospace">Dan<br>
</font></div>
</div>
</blockquote>
<br>
From your workstation can you use the demo instance <a
moz-do-not-send="true"
href="https://ipa.demo1.freeipa.org/ipa/ui/" target="_blank">https://ipa.demo1.freeipa.org/ipa/ui/</a>
or it returns the same error?<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>