[Freeipa-users] IPA, kerberos ticket issue for web admin.

Fri Apr 27 15:52:43 UTC 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/23/2012 11:58 AM, Rob Crittenden wrote:
> Nathan Lager wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> 
>> On 04/20/2012 02:26 PM, Rob Crittenden wrote:
>>> Have you configured the browser for Kerberos? 
>>> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html
>>>
>>>
>>>
>>>
>>>
>>> 
That error seems to indicate that the domain isn't defined in
>>> network.negotiate-auth.trusted-uris
>>> 
>>> regards
>>> 
>>> rob
>> 
>> I've been through the clicky-clicky that ipa's web gui sends you 
>> through (accepting the certs, and configuring the browser), a
>> number of times.  I just confirmed the trusted uri's and
>> delegation uris. They are both correct, they look like:
>> .my.ipa.domain.com
>> 
>> I even tried resetting delegation-uris, and trusted-uri's to the 
>> default, and then allowing the ipa web gui to re-configure them,
>> it hasnt helped.
>> 
>> Thanks for the response.  Sorry for the delay in mine.
> 
> Hmm, that is very strange. The code in question in Firefox looks
> like:
> 
> bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if
> (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI
> blocked\n")); return NS_ERROR_ABORT; }
> 
> which seems to be the error you are seeing. It's a shame there
> isn't more logging around the uris.
> 
> I see that you had enabled debug logging on the Apache side. Can
> you provide some more context on the failed request?
> 
> thanks
> 
> rob

Again, sorry for the delay.  This is just one in my long list of
current projects.

Here's the requested log data. Its a tail -f of the access and error
logs.  Server nanme, and client ip stripped.

==> error_log <==
[Fri Apr 27 11:47:04 2012] [info] Connection to child 0 established
(server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)

==> access_log <==
xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:04 -0400] "POST /ca/ocsp
HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1)
Gecko/20100101 Firefox/10.0.1"

==> error_log <==
[Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request
received for child 0 (server ipaserver.domain.com:443)
[Fri Apr 27 11:47:05 2012] [error] [client xxx.xxx.xxx.xxx] File does
not exist: /usr/share/ipa/ui/develop.js, referer:
https://ipaserver.domain.com/ipa/ui/

==> access_log <==
xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "GET
/ipa/ui/develop.js HTTP/1.1" 404 306

==> error_log <==
[Fri Apr 27 11:47:05 2012] [info] Connection to child 0 closed (server
ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)
[Fri Apr 27 11:47:05 2012] [info] Connection to child 6 established
(server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)
[Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request
received for child 6 (server ipaserver.domain.com:443)
[Fri Apr 27 11:47:05 2012] [debug] src/mod_auth_kerb.c(1578): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://ipaserver.domain.com/ipa/ui/

==> access_log <==
xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "POST /ipa/json
HTTP/1.1" 401 1771

==> error_log <==
[Fri Apr 27 11:47:05 2012] [info] Connection to child 6 closed (server
ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)

- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+awMsACgkQsZqG4IN3sulfnACfWNbbddw5ALIW4J9X+nLrovU+
Lg8AmQExUXpbs8LDPiwN4SMKefjF0KaB
=o2KT
-----END PGP SIGNATURE-----