[Freeipa-users] Annoying issue with Firefox and kerberos ticket
Steven Jones
Steven.Jones at vuw.ac.nz
Thu Nov 24 19:24:35 UTC 2011
Yes.
Check - OK, it hasnt expired yet this morning....
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
________________________________________
From: Adam Young [ayoung at redhat.com]
Sent: Thursday, 24 November 2011 4:59 p.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Annoying issue with Firefox and kerberos ticket
So let me get this straight: A system that works fine one day does not work the next.
You have a Kerberos TIcket, it expires. The webUI doesn't work. You then do a kinit and reload the browser, and it does not work. THen you go through the initialization steps, including configuring the browser, and then the webUI does work?
I can't see how that is possible. All that the browser config does is sets a couple of values in the properties that allows the browser forward the Kerberos TGT to the FreeIPA site. Are those values are somehow getting unset? There is something else going on.
THe next time, before you re-init the tgt or anything, go through the steps here:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html
and check the values for network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris
More information about the Freeipa-users
mailing list