[Freeipa-devel] Safari and web interface

[Rob Crittenden]

Simo Sorce wrote:
> On Sat, 2008-07-26 at 20:42 -0400, W. Michael Petullo wrote:
>> I have an iMac running Mac OS X 10.4 that authenticates against a  
>> FreeIPA 1.1.0 server. Although the computer otherwise works as a  
>> FreeIPA client, I am unable to connect to the FreeIPA web interface  
>> using Safari. Firefox connects fine from the same machine. Safari says:
>>
>> "Permission Denied"
>> "You do not have permission to access this page."
>> "Kerberos login failed"
>>
>> The Kerberos server logs this when I use Safari:
>>
>> Jul 26 20:38:28 golem.flyn.org krb5kdc[28682](info): TGS_REQ (7  
>> etypes {18 17 16 23 1 3 2}) 192.168.0.102: ISSUE: authtime  
>> 1217119078, etypes {rep=18 tkt=18 ses=18}, admin at FLYN.ORG for HTTP/ 
>> golem.flyn.org at FLYN.ORG
>>
>> The Kerberos server logs this when I use Firefox:
>>
>> Jul 26 20:39:28 golem.flyn.org krb5kdc[28682](info): TGS_REQ (1  
>> etypes {18}) 192.168.0.102: ISSUE: authtime 1217119078, etypes  
>> {rep=18 tkt=18 ses=18}, admin at FLYN.ORG for krbtgt/FLYN.ORG at FLYN.ORG
>> Jul 26 20:39:29 golem.flyn.org krb5kdc[28682](info): TGS_REQ (7  
>> etypes {18 17 16 23 1 3 2}) 192.168.0.10: ISSUE: authtime 1217119078,  
>> etypes {rep=18 tkt=18 ses=18}, admin at FLYN.ORG for ldap/ 
>> golem.flyn.org at FLYN.ORG
>> [...]
>>
>> Is anyone using Safari to configure FreeIPA?
> 
> I never tried but from the logs it seem that Safari might not be
> forwarding the user TGT.
> 

IIRC Safari was originally based on Konqueror/KHTML.

Currently Konqueror doesn't support delegation (though it does support 
GSSAPI). Not sure if this bug is apropos to Safari 
http://bugs.kde.org/show_bug.cgi?id=138414

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080728/12ae233e/attachment.bin>