[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

Matt . yamakasi.014 at gmail.com
Tue Mar 31 05:54:02 UTC 2015 

Hi,

I tried to trace some stuff but this doesn't give me much more info.

What I see at the moment in the /var/log/httpd/acces_log is exactly
what happens but without the info I need to get a better view:

10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" 301 258
10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1"
301 259 "https://ldap.domain.local/ipa/json" "-"
10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" 401 1469
10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] "POST /ipa/json HTTP/1.1" 401 1469

2015-03-30 15:03 GMT+02:00 Sumit Bose <sbose at redhat.com>:
> On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote:
>> Hi,
>>
>> I just tot home and typing from my cell so i'm suite short in words
>>
>> Create keytab for ldap-01.domain
>> Kinit with that to ldap.domain
>> Curl against ldap.domain
>> Get a 301 which I manage from curl (goes well)
>> Get kerberos ticket error
>>
>> now I don't kinit anymore so re-use my existing ticket and curl against
>> ldap-01.domain and I'm accepted and can execute stuff.
>>
>> My ssl is OK, ticket also it seems.
>
> Maybe the output of
>
> KRB5_TRACE=/dev/sdtout curl -v ....
>
> might help to see what is going on?
>
> bye,
> Sumit
>
>>
>> Thanks M.
>> Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <dpal at redhat.com>:
>>
>> > On 03/29/2015 04:47 AM, Matt . wrote:
>> >
>> >> Hi Guys,
>> >>
>> >> Now my Certification issues are solved for using a loadbalancer in
>> >> front of my ipa servers I get the following:
>> >>
>> >> Unable to verify your Kerberos credentials
>> >>
>> >> and in my logs:
>> >>
>> >> Additional pre-authentication required.
>> >>
>> >> This happens when I connect throught my loadbalancers, I see my server
>> >> coming ni with the right IP.
>> >>
>> >> When I access my ipa server directly, not using the loadbalancer IP
>> >> between it, my kerberos Ticket is valid.
>> >>
>> >> I get the feeling that when I use my loadbalancers and because of that
>> >> I get a 301 redirect it needs a preauth. I see some issues on
>> >> mailinglists but it doesn't fit my situation.
>> >>
>> >> Why wants it the preauth when I already have a valid ticket and my
>> >> redirect is followed by CURL and posted the right way ?
>> >>
>> >
>> > Can you describe the sequence?
>> > What do you do?
>> >
>> > From the client you try IPA CLI and this is where you see the problem even
>> > with the valid ticket or is the flow different?
>> >
>> >  I hope someone has an idea.
>> >>
>> >> Thanks,
>> >>
>> >> Matt
>> >>
>> >>
>> >
>> > --
>> > Thank you,
>> > Dmitri Pal
>> >
>> > Sr. Engineering Manager IdM portfolio
>> > Red Hat, Inc.
>> >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>> >
>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list