<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 03/06/2015 09:26 AM, Dan Mossor
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAMobkEOjHHcPJVr7kdcTN=8ULT=2V9ZYC1nfYsWvwdAXw6tnsw@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">On Fri, Mar 6, 2015 at 1:28 AM,
            Martin Kosek <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
                class="">On 03/06/2015 02:38 AM, Dan Mossor wrote:<br>
              </span>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex"><span
                  class="">
                  <br>
                  <br>
                  On Thu, Mar 5, 2015 at 7:21 PM, Dmitri Pal <<a
                    moz-do-not-send="true" href="mailto:dpal@redhat.com"
                    target="_blank">dpal@redhat.com</a><br>
                </span>
                <div>
                  <div class="h5">
                    <mailto:<a moz-do-not-send="true"
                      href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>>>
                    wrote:<br>
                    <br>
                        <a moz-do-not-send="true"
                      href="http://i.imgur.com/mhX86Ng.png"
                      target="_blank">http://i.imgur.com/mhX86Ng.png</a><br>
                    <br>
                        It should show up if you do not have a ticket.
                    Destroy the ticket on the<br>
                        client and try  to access the server via
                    browser, you should be redirected.<br>
                    <br>
                        --<br>
                        Thank you,<br>
                        Dmitri Pal<br>
                    <br>
                        Sr. Engineering Manager IdM portfolio<br>
                        Red Hat, Inc.<br>
                    <br>
                    Ok then, that is the page that keeps returning. I've
                    tried from this<br>
                    workstation using Konquerer, which does not support
                    Kerberos, I've from from<br>
                    Internet Explorer on a Windows 7 Professional
                    desktop, and I've tried from a<br>
                    Fedora 21 system that is not enrolled in the domain.
                    I get the exact same<br>
                    response with every attempt.<br>
                    <br>
                    One additional step I attempted to take was to
                    change the admin password on the<br>
                    IPA server. I am getting a
                    ldap_sasl_interactive_bind_s: Unknown authentication<br>
                    method (-6) error back.<br>
                    <br>
                    I think this installation is hosed. I am ready to
                    wipe and start over from<br>
                    scratch tomorrow. I've already wasted 16 hours on
                    it.<br>
                  </div>
                </div>
              </blockquote>
              <br>
              Sorry to hear that. But I think you should start taking
              gradual steps in your testing and trying to make Web UI
              over GSSAPI work. I would suggest this procedure:<br>
              <br>
              1) Can I "kinit admin" and run CLI command ("ipa user-show
              admin")? If yes, basic FreeIPA is functioning. Run
              kdestroy to get rid of Kerberos.<br>
              <br>
              2) Can I login with form basic auth to my FreeIPA? If not,
              did you verify all the items in <a moz-do-not-send="true"
href="http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI"
                target="_blank">http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI</a>
              ? Did you try logging with form based auth in FreeIPA
              public demo for example (user "admin", password
              "Secret123"):<br>
              <br>
              <a moz-do-not-send="true"
                href="https://ipa.demo1.freeipa.org/ipa/ui/"
                target="_blank">https://ipa.demo1.freeipa.org/ipa/ui/</a><br>
              <br>
              If not, we can dig further. If yes, you can continue with
              kinit + SSO for the Web UI.<br>
            </blockquote>
          </div>
          <font face="monospace,monospace">Martin, Dmitri,<br>
            <br>
          </font></div>
        <div class="gmail_extra"><font face="monospace,monospace">Thanks
            for your help, but I've taken every step available on the
            page you linked. I just checked this morning before I
            started over, and on the server I can kinit as admin and run
            ipa user-show admin. The ipa tools are not on my
            workstation. I then ran kdestroy on both the server and
            workstation, and the error remains when logging in to the
            web UI - it returns me to the screen I showed above in the
            link to the screenshot.<br>
            <br>
          </font></div>
        <div class="gmail_extra"><font face="monospace,monospace">Regards,<br>
          </font></div>
        <div class="gmail_extra"><font face="monospace,monospace">Dan<br>
          </font></div>
      </div>
    </blockquote>
    <br>
    From your workstation can you use the demo instance <a
      moz-do-not-send="true"
      href="https://ipa.demo1.freeipa.org/ipa/ui/" target="_blank">https://ipa.demo1.freeipa.org/ipa/ui/</a>
    or it returns the same error?<br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
  </body>
</html>