Hello Dmitri,<br><br>I filed a bug (447440) for the documentation recommendation. I also filed a 2nd bug (447445) to fix the link to Microsoft's web page for Kerberos Authentication help, which is currently giving a "Content not found" page.<br> <br>If I do a kinit on a Windows machine (which most of the potential end users will likely use), I get the error:<br>kinit(v5): Cannot resolve network address for KDC in realm ___ while getting initial credentials<br><br> I also added the realm to the about:config page for Mozilla, and added the site as a trusted site within IE. However, for IE I have it so that the page prompts for user name and password, but it doesn't prompt me, gives me a certificate error, and even if I continue with the bad certificate, the page comes up with nothing. <br> <br>Just to understand this better, but once either firefox or IE is configured properly, the web page should allow an end user to get a ticket, right? I am hoping that command line use will not be necessary. <br><br>Thanks for your help and suggestions!<br> <br>-Mark<br><br><div class="gmail_quote">On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Hi Mark,<br> <br> Thank you for sharing the recommendation with us.<br> Can you please log a request into bugzilla?<br> <br> <a href="https://bugzilla.redhat.com" target="_blank">https://bugzilla.redhat.com</a><br> <br> Did you do kinit first?<br> Did you add the realm into the FireFox configuration?<br> <br> Thank you<br> Dmitri Pal<br> <br> <br> Mark Christiansen wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"> I fixed my problems with ipa* functions by modifying /etc/hosts so that my FQDN entry is first, and the localhost entry is not first. I am guessing this is where most other people will have their problems. Can we modify the FAQ to include this recommendation?<br> <br> I am having issues getting access to the web page outside of the machine with freeipa installed. Should I be able to get a ticket by accessing the web interface? In both IE and Firefox, I am unable to bring up any pages after getting prompted. In IE, it is blank, and Firefox I get Kerberos authentication failed. This is another noob question, but perhaps it will be helpful for the FAQ. My O'Reilly book on Kerberos is on its way. :)<br> <br> Thanks!<br> <br> -Mark<br> <br></div><div class="Ih2E3d"> On Mon, May 19, 2008 at 9:00 AM, <<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>>> wrote:<br> <br> Send Freeipa-devel mailing list submissions to<br></div> <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><div class="Ih2E3d"><br> <br> To subscribe or unsubscribe via the World Wide Web, visit<br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br> or, via email, send a message with subject or body 'help' to<br> <a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a><br></div> <mailto:<a href="mailto:freeipa-devel-request@redhat.com" target="_blank">freeipa-devel-request@redhat.com</a>><div class="Ih2E3d"><br> <br> You can reach the person managing the list at<br> <a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a><br></div> <mailto:<a href="mailto:freeipa-devel-owner@redhat.com" target="_blank">freeipa-devel-owner@redhat.com</a>><div class="Ih2E3d"><br> <br> When replying, please edit your Subject line so it is more specific<br> than "Re: Contents of Freeipa-devel digest..."<br> <br> <br> Today's Topics:<br> <br> 1. Re: freeIPA + Fedora 9 + xen , can't get passed ipa-finduser<br> admin (Rob Crittenden)<br> <br> <br> ----------------------------------------------------------------------<br> <br> Message: 1<br> Date: Mon, 19 May 2008 11:39:45 -0400<br> From: Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></div> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>><div class="Ih2E3d"><br> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get<br> passed ipa-finduser admin<br> To: Jaakan Shorter <<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a><br></div> <mailto:<a href="mailto:jaakanshorter@gmail.com" target="_blank">jaakanshorter@gmail.com</a>>><br> Cc: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a> <mailto:<a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>><div class="Ih2E3d"><br> Message-ID: <<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a><br></div> <mailto:<a href="mailto:48319F41.7040707@redhat.com" target="_blank">48319F41.7040707@redhat.com</a>>><div class="Ih2E3d"><br> Content-Type: text/plain; charset="iso-8859-1"<br> <br> Jaakan Shorter wrote:<br> > here's an update ( I replaced the domain name with test )<br> > let me know if you need anymore info<br> ><br> > ipa-server-install --uninstall<br> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab<br> > stopped the kerberos service ( --uninstall switch didn't stop it. I<br> > thought it should set it back to old state )<br> > yum update ( 1.0.6 version came out over the weekend for FC-9 )<br> > rebooted<br> > ipa-server-install --setup-bind -N<br> <br> Yes, this should be fixed in the tip.<br> <br> [ snip ]<br> <br></div> > May 19 09:31:08 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><div class="Ih2E3d"><br> krb5kdc[1758](info): set up 4 sockets<br></div> > May 19 09:31:08 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><div class="Ih2E3d"><br> krb5kdc[1759](info): commencing operation<br></div> > May 19 09:32:02 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><div class="Ih2E3d"><br> krb5kdc[1759](info): AS_REQ (7 etypes<br></div> > {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<br> NEEDED_PREAUTH: <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>> for<br> > krbtgt/<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>,<br> Additional pre-authentication required<br> > May 19 09:32:24 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><div class="Ih2E3d"><br> krb5kdc[1759](info): AS_REQ (7 etypes<br></div> > {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>: ISSUE:<br> authtime 1211203944, etypes<br> > {rep=18 tkt=18 ses=18}, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>><br> for krbtgt/<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>><br> > May 19 09:32:54 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><div class="Ih2E3d"><br> krb5kdc[1759](info): TGS_REQ (7<br></div> > etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<br> UNKNOWN_SERVER: authtime<br> > 1211203944, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>> for<br> HTTP/<a href="http://freeipa.test.net" target="_blank">freeipa.test.net</a> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a><br> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>, Server<div class="Ih2E3d"><br> > not found in Kerberos database<br></div> > May 19 09:32:54 <a href="http://freeIPA.test.net" target="_blank">freeIPA.test.net</a> <<a href="http://freeIPA.test.net" target="_blank">http://freeIPA.test.net</a>><div class="Ih2E3d"><br> krb5kdc[1759](info): TGS_REQ (7<br></div> > etypes {18 17 16 23 1 3 2}) <a href="http://192.168.1.25" target="_blank">192.168.1.25</a> <<a href="http://192.168.1.25" target="_blank">http://192.168.1.25</a>>:<br> UNKNOWN_SERVER: authtime<br> > 1211203944, <a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a> <mailto:<a href="mailto:admin@TEST.NET" target="_blank">admin@TEST.NET</a>> for<br> HTTP/<a href="http://freeipa.test.net" target="_blank">freeipa.test.net</a> <<a href="http://freeipa.test.net" target="_blank">http://freeipa.test.net</a>>@<a href="http://TEST.NET" target="_blank">TEST.NET</a><br> <<a href="http://TEST.NET" target="_blank">http://TEST.NET</a>>, Server<div class="Ih2E3d"><br> > not found in Kerberos database<br> <br> Service principals are created for the IPA servers at install time.<br> There must be some (perhaps subtle) difference in what was created at<br> install time and what it is trying to use.<br> <br> Try this command to see what service principals exist:<br> <br> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"<br> objectclass=krbPrincipalAux dn<br> <br> rob<br> -------------- next part --------------<br> A non-text attachment was scrubbed...<br> Name: smime.p7s<br> Type: application/x-pkcs7-signature<br> Size: 3245 bytes<br> Desc: S/MIME Cryptographic Signature<br> Url :<br> <a href="https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin" target="_blank">https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin</a><br> <br> ------------------------------<br> <br> _______________________________________________<br> Freeipa-devel mailing list<br></div> <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <mailto:<a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>><div class="Ih2E3d"><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br> <br> End of Freeipa-devel Digest, Vol 12, Issue 33<br> *********************************************<br> <br> <br></div> ------------------------------------------------------------------------<div class="Ih2E3d"><br> <br> _______________________________________________<br> Freeipa-devel mailing list<br> <a href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br> </div></blockquote><font color="#888888"> <br> <br> -- <br> Dmitri Pal<br> Engineering Manager<br> Red Hat Inc. <br> </font></blockquote></div><br>