[Freeipa-users] IPA, kerberos ticket issue for web admin.
Nathan Lager
lagern at lafayette.edu
Fri Apr 27 15:52:43 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/23/2012 11:58 AM, Rob Crittenden wrote:
> Nathan Lager wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>>
>> On 04/20/2012 02:26 PM, Rob Crittenden wrote:
>>> Have you configured the browser for Kerberos?
>>> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html
>>>
>>>
>>>
>>>
>>>
>>>
That error seems to indicate that the domain isn't defined in
>>> network.negotiate-auth.trusted-uris
>>>
>>> regards
>>>
>>> rob
>>
>> I've been through the clicky-clicky that ipa's web gui sends you
>> through (accepting the certs, and configuring the browser), a
>> number of times. I just confirmed the trusted uri's and
>> delegation uris. They are both correct, they look like:
>> .my.ipa.domain.com
>>
>> I even tried resetting delegation-uris, and trusted-uri's to the
>> default, and then allowing the ipa web gui to re-configure them,
>> it hasnt helped.
>>
>> Thanks for the response. Sorry for the delay in mine.
>
> Hmm, that is very strange. The code in question in Firefox looks
> like:
>
> bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if
> (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI
> blocked\n")); return NS_ERROR_ABORT; }
>
> which seems to be the error you are seeing. It's a shame there
> isn't more logging around the uris.
>
> I see that you had enabled debug logging on the Apache side. Can
> you provide some more context on the failed request?
>
> thanks
>
> rob
Again, sorry for the delay. This is just one in my long list of
current projects.
Here's the requested log data. Its a tail -f of the access and error
logs. Server nanme, and client ip stripped.
==> error_log <==
[Fri Apr 27 11:47:04 2012] [info] Connection to child 0 established
(server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)
==> access_log <==
xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:04 -0400] "POST /ca/ocsp
HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1)
Gecko/20100101 Firefox/10.0.1"
==> error_log <==
[Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request
received for child 0 (server ipaserver.domain.com:443)
[Fri Apr 27 11:47:05 2012] [error] [client xxx.xxx.xxx.xxx] File does
not exist: /usr/share/ipa/ui/develop.js, referer:
https://ipaserver.domain.com/ipa/ui/
==> access_log <==
xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "GET
/ipa/ui/develop.js HTTP/1.1" 404 306
==> error_log <==
[Fri Apr 27 11:47:05 2012] [info] Connection to child 0 closed (server
ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)
[Fri Apr 27 11:47:05 2012] [info] Connection to child 6 established
(server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)
[Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request
received for child 6 (server ipaserver.domain.com:443)
[Fri Apr 27 11:47:05 2012] [debug] src/mod_auth_kerb.c(1578): [client
xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos, referer: https://ipaserver.domain.com/ipa/ui/
==> access_log <==
xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "POST /ipa/json
HTTP/1.1" 401 1771
==> error_log <==
[Fri Apr 27 11:47:05 2012] [info] Connection to child 6 closed (server
ipaserver.domain.com:443, client xxx.xxx.xxx.xxx)
- --
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+awMsACgkQsZqG4IN3sulfnACfWNbbddw5ALIW4J9X+nLrovU+
Lg8AmQExUXpbs8LDPiwN4SMKefjF0KaB
=o2KT
-----END PGP SIGNATURE-----
More information about the Freeipa-users
mailing list