[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?
Dmitri Pal
dpal at redhat.com
Mon Mar 30 12:39:17 UTC 2015
On 03/29/2015 10:56 PM, Matt . wrote:
>
> Hi,
>
> I just tot home and typing from my cell so i'm suite short in words
>
> Create keytab for ldap-01.domain
> Kinit with that to ldap.domain
> Curl against ldap.domain
> Get a 301 which I manage from curl (goes well)
> Get kerberos ticket error
>
> now I don't kinit anymore so re-use my existing ticket and curl
> against ldap-01.domain and I'm accepted and can execute stuff.
>
> My ssl is OK, ticket also it seems.
>
Hard to say without the logs what is going on. However here is a thought:
If it is trying to get another ticket it might think that the service is
in a different domain.
Client libraries have a feature to detect which ticket to use depending
on the realm the resource belongs to.
May be it is thinking that it is a different realm and thus does not use
the ticket it has.
> Thanks M.
>
> Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <dpal at redhat.com
> <mailto:dpal at redhat.com>>:
>
> On 03/29/2015 04:47 AM, Matt . wrote:
>
> Hi Guys,
>
> Now my Certification issues are solved for using a loadbalancer in
> front of my ipa servers I get the following:
>
> Unable to verify your Kerberos credentials
>
> and in my logs:
>
> Additional pre-authentication required.
>
> This happens when I connect throught my loadbalancers, I see
> my server
> coming ni with the right IP.
>
> When I access my ipa server directly, not using the
> loadbalancer IP
> between it, my kerberos Ticket is valid.
>
> I get the feeling that when I use my loadbalancers and because
> of that
> I get a 301 redirect it needs a preauth. I see some issues on
> mailinglists but it doesn't fit my situation.
>
> Why wants it the preauth when I already have a valid ticket and my
> redirect is followed by CURL and posted the right way ?
>
>
> Can you describe the sequence?
> What do you do?
>
> From the client you try IPA CLI and this is where you see the
> problem even with the valid ticket or is the flow different?
>
> I hope someone has an idea.
>
> Thanks,
>
> Matt
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150330/45321ba8/attachment.htm>
More information about the Freeipa-users
mailing list