System: Centos 6.2 IPA version : ipa-server-2.1.3-9.el6.x86_64 Thanks Chandan <div class="gmail_quote">On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#ffffff" text="#000000"><div><div class="h5"> On 05/14/2012 05:09 PM, Chandan Kumar wrote: <blockquote type="cite">I am a newbie in IPA and was experimenting it on my couple of VMs before considering it for production level. Installation went fine, however, I am getting the kerberos key expiration error at firefox. I am running firefox on the same machine where I have installed/configured ipa-server. On googling and some help in IRC I checked documentation to trouble shoot it as this appear to be a known problem. Moreover, I did follow <a href="http://freeipa.org/page/InstallAndDeploy" target="_blank">http://freeipa.org/page/InstallAndDeploy</a> <a href="http://freeipa.org/page/TroubleshootingGuide" target="_blank">http://freeipa.org/page/TroubleshootingGuide</a> Fire fox logs 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] -1977841888[7fc789f5b040]: using REQ_DELEGATE -1977841888[7fc789f5b040]: service = <a href="http://ipaserver.example.com" target="_blank">ipaserver.example.com</a> -1977841888[7fc789f5b040]: using negotiate-gss -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS failure. Minor code may provide more information SPNEGO cannot find mechanisms to negotiate -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken [rv=80004005] [root@ds var]# klist Ticket cache: <a>FILE:/tmp/krb5cc_0</a> Default principal: <a href="mailto:admin@EXAMPLE.COM" target="_blank">admin@EXAMPLE.COM</a> Valid starting Expires Service principal 05/14/12 13:50:32 05/15/12 13:50:30 krbtgt/<a href="mailto:EXAMPLE.COM@EXAMPLE.COM" target="_blank">EXAMPLE.COM@EXAMPLE.COM</a> 05/14/12 13:53:58 05/15/12 13:50:30 HTTP/<a href="mailto:ipaserver.example.com@EXAMPLE.COM" target="_blank">ipaserver.example.com@EXAMPLE.COM</a> 05/14/12 13:54:13 05/15/12 13:50:30 ldap/<a href="mailto:ipaserver.example.com@EXAMPLE.COM" target="_blank">ipaserver.example.com@EXAMPLE.COM</a> [root@ds var]# Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin at <a href="http://fpaste.org/9hXX/" target="_blank">http://fpaste.org/9hXX/</a> I am not sure what I am missing though. Appreciate any help. Thanks Chandan </blockquote> </div></div> Are you running FF on windows? Which version of IPA are you using? <blockquote type="cite"> <pre><fieldset></fieldset> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </div> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote></div>