[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
Matt .
yamakasi.014 at gmail.com
Mon Mar 30 02:56:11 UTC 2015
Hi,
I just tot home and typing from my cell so i'm suite short in words
Create keytab for ldap-01.domain
Kinit with that to ldap.domain
Curl against ldap.domain
Get a 301 which I manage from curl (goes well)
Get kerberos ticket error
now I don't kinit anymore so re-use my existing ticket and curl against
ldap-01.domain and I'm accepted and can execute stuff.
My ssl is OK, ticket also it seems.
Thanks M.
Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <dpal at redhat.com>:
> On 03/29/2015 04:47 AM, Matt . wrote:
>
>> Hi Guys,
>>
>> Now my Certification issues are solved for using a loadbalancer in
>> front of my ipa servers I get the following:
>>
>> Unable to verify your Kerberos credentials
>>
>> and in my logs:
>>
>> Additional pre-authentication required.
>>
>> This happens when I connect throught my loadbalancers, I see my server
>> coming ni with the right IP.
>>
>> When I access my ipa server directly, not using the loadbalancer IP
>> between it, my kerberos Ticket is valid.
>>
>> I get the feeling that when I use my loadbalancers and because of that
>> I get a 301 redirect it needs a preauth. I see some issues on
>> mailinglists but it doesn't fit my situation.
>>
>> Why wants it the preauth when I already have a valid ticket and my
>> redirect is followed by CURL and posted the right way ?
>>
>
> Can you describe the sequence?
> What do you do?
>
> From the client you try IPA CLI and this is where you see the problem even
> with the valid ticket or is the flow different?
>
> I hope someone has an idea.
>>
>> Thanks,
>>
>> Matt
>>
>>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150330/a0908242/attachment.htm>
More information about the Freeipa-users
mailing list