[Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

Matt . yamakasi.014 at gmail.com
Tue Mar 31 09:02:24 UTC 2015 

On my client I still see:

03/31/2015 11:00:08  04/01/2015 11:00:07  krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
03/31/2015 11:00:09  04/01/2015 11:00:07  HTTP/ldap-01.domain.local at DOMAIN.LOCAL

Should ldap-01 not be ldap as I go through my loadbalancer ?

Do I need to merge keytabs or so ?

2015-03-31 7:54 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
> Hi,
>
> I tried to trace some stuff but this doesn't give me much more info.
>
> What I see at the moment in the /var/log/httpd/acces_log is exactly
> what happens but without the info I need to get a better view:
>
> 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" 301 258
> 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1"
> 301 259 "https://ldap.domain.local/ipa/json" "-"
> 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" 401 1469
> 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] "POST /ipa/json HTTP/1.1" 401 1469
>
> 2015-03-30 15:03 GMT+02:00 Sumit Bose <sbose at redhat.com>:
>> On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote:
>>> Hi,
>>>
>>> I just tot home and typing from my cell so i'm suite short in words
>>>
>>> Create keytab for ldap-01.domain
>>> Kinit with that to ldap.domain
>>> Curl against ldap.domain
>>> Get a 301 which I manage from curl (goes well)
>>> Get kerberos ticket error
>>>
>>> now I don't kinit anymore so re-use my existing ticket and curl against
>>> ldap-01.domain and I'm accepted and can execute stuff.
>>>
>>> My ssl is OK, ticket also it seems.
>>
>> Maybe the output of
>>
>> KRB5_TRACE=/dev/sdtout curl -v ....
>>
>> might help to see what is going on?
>>
>> bye,
>> Sumit
>>
>>>
>>> Thanks M.
>>> Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <dpal at redhat.com>:
>>>
>>> > On 03/29/2015 04:47 AM, Matt . wrote:
>>> >
>>> >> Hi Guys,
>>> >>
>>> >> Now my Certification issues are solved for using a loadbalancer in
>>> >> front of my ipa servers I get the following:
>>> >>
>>> >> Unable to verify your Kerberos credentials
>>> >>
>>> >> and in my logs:
>>> >>
>>> >> Additional pre-authentication required.
>>> >>
>>> >> This happens when I connect throught my loadbalancers, I see my server
>>> >> coming ni with the right IP.
>>> >>
>>> >> When I access my ipa server directly, not using the loadbalancer IP
>>> >> between it, my kerberos Ticket is valid.
>>> >>
>>> >> I get the feeling that when I use my loadbalancers and because of that
>>> >> I get a 301 redirect it needs a preauth. I see some issues on
>>> >> mailinglists but it doesn't fit my situation.
>>> >>
>>> >> Why wants it the preauth when I already have a valid ticket and my
>>> >> redirect is followed by CURL and posted the right way ?
>>> >>
>>> >
>>> > Can you describe the sequence?
>>> > What do you do?
>>> >
>>> > From the client you try IPA CLI and this is where you see the problem even
>>> > with the valid ticket or is the flow different?
>>> >
>>> >  I hope someone has an idea.
>>> >>
>>> >> Thanks,
>>> >>
>>> >> Matt
>>> >>
>>> >>
>>> >
>>> > --
>>> > Thank you,
>>> > Dmitri Pal
>>> >
>>> > Sr. Engineering Manager IdM portfolio
>>> > Red Hat, Inc.
>>> >
>>> > --
>>> > Manage your subscription for the Freeipa-users mailing list:
>>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>>> > Go to http://freeipa.org for more info on the project
>>> >
>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>

More information about the Freeipa-users mailing list