[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

Sumit Bose sbose at redhat.com
Mon Mar 30 13:03:24 UTC 2015 

On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote:
> Hi,
> 
> I just tot home and typing from my cell so i'm suite short in words
> 
> Create keytab for ldap-01.domain
> Kinit with that to ldap.domain
> Curl against ldap.domain
> Get a 301 which I manage from curl (goes well)
> Get kerberos ticket error
> 
> now I don't kinit anymore so re-use my existing ticket and curl against
> ldap-01.domain and I'm accepted and can execute stuff.
> 
> My ssl is OK, ticket also it seems.

Maybe the output of

KRB5_TRACE=/dev/sdtout curl -v ....

might help to see what is going on? 

bye,
Sumit

> 
> Thanks M.
> Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <dpal at redhat.com>:
> 
> > On 03/29/2015 04:47 AM, Matt . wrote:
> >
> >> Hi Guys,
> >>
> >> Now my Certification issues are solved for using a loadbalancer in
> >> front of my ipa servers I get the following:
> >>
> >> Unable to verify your Kerberos credentials
> >>
> >> and in my logs:
> >>
> >> Additional pre-authentication required.
> >>
> >> This happens when I connect throught my loadbalancers, I see my server
> >> coming ni with the right IP.
> >>
> >> When I access my ipa server directly, not using the loadbalancer IP
> >> between it, my kerberos Ticket is valid.
> >>
> >> I get the feeling that when I use my loadbalancers and because of that
> >> I get a 301 redirect it needs a preauth. I see some issues on
> >> mailinglists but it doesn't fit my situation.
> >>
> >> Why wants it the preauth when I already have a valid ticket and my
> >> redirect is followed by CURL and posted the right way ?
> >>
> >
> > Can you describe the sequence?
> > What do you do?
> >
> > From the client you try IPA CLI and this is where you see the problem even
> > with the valid ticket or is the flow different?
> >
> >  I hope someone has an idea.
> >>
> >> Thanks,
> >>
> >> Matt
> >>
> >>
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list