[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

Dmitri Pal dpal at redhat.com
Mon Mar 30 12:39:17 UTC 2015 

On 03/29/2015 10:56 PM, Matt . wrote:
>
> Hi,
>
> I just tot home and typing from my cell so i'm suite short in words
>
> Create keytab for ldap-01.domain
> Kinit with that to ldap.domain
> Curl against ldap.domain
> Get a 301 which I manage from curl (goes well)
> Get kerberos ticket error
>
> now I don't kinit anymore so re-use my existing ticket and curl 
> against ldap-01.domain and I'm accepted and can execute stuff.
>
> My ssl is OK, ticket also it seems.
>

Hard to say without the logs what is going on. However here is a thought:
If it is trying to get another ticket it might think that the service is 
in a different domain.
Client libraries have a feature to detect which ticket to use depending 
on the realm the resource belongs to.
May be it is thinking that it is a different realm and thus does not use 
the ticket it has.



> Thanks M.
>
> Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <dpal at redhat.com 
> <mailto:dpal at redhat.com>>:
>
>     On 03/29/2015 04:47 AM, Matt . wrote:
>
>         Hi Guys,
>
>         Now my Certification issues are solved for using a loadbalancer in
>         front of my ipa servers I get the following:
>
>         Unable to verify your Kerberos credentials
>
>         and in my logs:
>
>         Additional pre-authentication required.
>
>         This happens when I connect throught my loadbalancers, I see
>         my server
>         coming ni with the right IP.
>
>         When I access my ipa server directly, not using the
>         loadbalancer IP
>         between it, my kerberos Ticket is valid.
>
>         I get the feeling that when I use my loadbalancers and because
>         of that
>         I get a 301 redirect it needs a preauth. I see some issues on
>         mailinglists but it doesn't fit my situation.
>
>         Why wants it the preauth when I already have a valid ticket and my
>         redirect is followed by CURL and posted the right way ?
>
>
>     Can you describe the sequence?
>     What do you do?
>
>     From the client you try IPA CLI and this is where you see the
>     problem even with the valid ticket or is the flow different?
>
>         I hope someone has an idea.
>
>         Thanks,
>
>         Matt
>
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>     -- 
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150330/45321ba8/attachment.htm>

More information about the Freeipa-users mailing list