<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/29/2015 10:56 PM, Matt . wrote:<br>
</div>
<blockquote
cite="mid:CAPNQp07P5Oc6_U+idVvNStGzfBE7pQ1f__+AQ5e-eR-iVvoxWw@mail.gmail.com"
type="cite">
<p dir="ltr">Hi,</p>
<p dir="ltr">I just tot home and typing from my cell so i'm suite
short in words</p>
<p dir="ltr">Create keytab for ldap-01.domain<br>
Kinit with that to ldap.domain<br>
Curl against ldap.domain<br>
Get a 301 which I manage from curl (goes well)<br>
Get kerberos ticket error</p>
<p dir="ltr">now I don't kinit anymore so re-use my existing
ticket and curl against ldap-01.domain and I'm accepted and can
execute stuff.</p>
<p dir="ltr">My ssl is OK, ticket also it seems.</p>
</blockquote>
<br>
Hard to say without the logs what is going on. However here is a
thought:<br>
If it is trying to get another ticket it might think that the
service is in a different domain.<br>
Client libraries have a feature to detect which ticket to use
depending on the realm the resource belongs to.<br>
May be it is thinking that it is a different realm and thus does not
use the ticket it has.<br>
<br>
<br>
<br>
<blockquote
cite="mid:CAPNQp07P5Oc6_U+idVvNStGzfBE7pQ1f__+AQ5e-eR-iVvoxWw@mail.gmail.com"
type="cite">
<p dir="ltr">Thanks M.<br>
</p>
<div class="gmail_quote">Op 30 mrt. 2015 03:50 schreef "Dmitri
Pal" <<a moz-do-not-send="true" href="mailto:dpal@redhat.com">dpal@redhat.com</a>>:<br
type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On
03/29/2015 04:47 AM, Matt . wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Guys,<br>
<br>
Now my Certification issues are solved for using a
loadbalancer in<br>
front of my ipa servers I get the following:<br>
<br>
Unable to verify your Kerberos credentials<br>
<br>
and in my logs:<br>
<br>
Additional pre-authentication required.<br>
<br>
This happens when I connect throught my loadbalancers, I see
my server<br>
coming ni with the right IP.<br>
<br>
When I access my ipa server directly, not using the
loadbalancer IP<br>
between it, my kerberos Ticket is valid.<br>
<br>
I get the feeling that when I use my loadbalancers and
because of that<br>
I get a 301 redirect it needs a preauth. I see some issues
on<br>
mailinglists but it doesn't fit my situation.<br>
<br>
Why wants it the preauth when I already have a valid ticket
and my<br>
redirect is followed by CURL and posted the right way ?<br>
</blockquote>
<br>
Can you describe the sequence?<br>
What do you do?<br>
<br>
From the client you try IPA CLI and this is where you see the
problem even with the valid ticket or is the flow different?<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
I hope someone has an idea.<br>
<br>
Thanks,<br>
<br>
Matt<br>
<br>
</blockquote>
<br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IdM portfolio<br>
Red Hat, Inc.<br>
<br>
-- <br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on the
project<br>
</blockquote>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>