network.auth.use-sspi falseHowever, my Linux (RHEL5) browser still doesn't connect.
Mark Christiansen wrote:Are you configuring your browser according to:
Hi Simo,
Yes, I can get a kerberos ticket on both Windows and Linux clients. I am able to configure a browser on the machine with FreeIPA and use its web interface, but I am unable to do the same on the clients.
Thanks for your suggestions!
http://www.freeipa.com/page/ClientConfigurationGuide#Configuring_Your_Browser
rob
-Mark<mailto:freeipa-devel-request redhat com>> <mailto:freeipa-devel redhat com>
On Sun, Jun 8, 2008 at 6:32 AM, Simo Sorce <ssorce redhat com <mailto:ssorce redhat com>> wrote:
Can you get a kerberos ticket on the clients?
If not, what error do you get ?
Simo.
On Sat, 2008-06-07 at 13:17 -0700, Mark Christiansen wrote:
> Hello everyone,
>
> Recently I sent an e-mail because I couldn't get access to freeipa on
> any machine other than the one with freeipa installed. I reinstalled
> the MIT Kerberos client, and am now able to authenticate on a Windows
> machine. However, I can still not get the webpage to display on
> either a Windows or a Linux platform (other than the virtual machine
> freeIPA is installed on). I have reinstalled several times, and
don't
> know what I could be missing. All of my machines are on one subnet,
> and I temporarily disabled firewalls to see if that could be the
> issue.
>
> Thanks for any tips!
>
> -Mark
>
> On Sat, Jun 7, 2008 at 9:00 AM, <freeipa-devel-request redhat com<mailto:freeipa-devel-request redhat com> <mailto:freeipa-devel-owner redhat com>
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> or, via email, send a message with subject or body 'help' to
> freeipa-devel-request redhat com<mailto:rcritten redhat com>>
>
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Freeipa-devel digest..."
>
>
> Today's Topics:
>
> 1. Re: [PATCH] be clearer about what is being configured
> (Rob Crittenden)
> 2. AD and freeIPA synch (Karl Wirth)
> 3. Re: AD and freeIPA synch (Rich Megginson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 06 Jun 2008 15:27:21 -0400
> From: Rob Crittenden <rcritten redhat com<mailto:freeipa-devel redhat com>> <mailto:48498F99 5090903 redhat com>>
> Subject: Re: [Freeipa-devel] [PATCH] be clearer about what is
> being
> configured
> To: freeipa-devel <freeipa-devel redhat com<mailto:kwirth redhat com>> <mailto:freeipa-devel redhat com>, freeipa-interest redhat com
> Content-Type: text/plain; charset="iso-8859-1"
>
> Skipped content of type multipart/mixed-------------- next
> part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3245 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/c7cfd409/smime.bin
>
> ------------------------------
>
> Message: 2
> Date: Fri, 06 Jun 2008 15:32:29 -0400
> From: Karl Wirth <kwirth redhat com
<mailto:freeipa-interest redhat com> <mailto:484990CD 30206 redhat com>><mailto:rmeggins redhat com>>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
>
> Many organizations have given feedback that they want to make
> sure that
> freeIPA can synch with AD. We want to provide more than what
> is
> available in the winsynch that is in fedora directory server.
> Here are
> my thoughts on what the features should be in this area. I
> would love
> your feedback. Does this sound right? What is missing?
> Longerterm, we
> hope to enable kerberos trust between AD and IPA but even
then
> some
> folks will want synch as well. Thoughts?
>
> AD and freeIPA synch requirements ---proposal for your review
> and feedback
>
> 1. Keep password in AD same as PW in IPA
> - If changed in AD, bring change over to IPA
> - If changed in IPA, bring change over to AD
>
> 2. Synch userid and attributes
> - Configurable which attributes
> - If full posix available then make this available
> - Configurable translation between attributes (i.e transform
> data such
> as middle name length or whatever)
> - Configurable mapping between attribute names
> - Generate attributes if not present in AD with flexible
rules
> for doing
> this and vice versa
>
> 3. Which subsets of users to keep in synch
> - Make it possible to define which AD/IPA users should be
kept
> in synch
>
> 4. Topology
> - Password synch is only supported with 1 AD domain. Not
> multiple.
> - Identity/attribute synch is supported across multiple
> domains.
> ---If the same user is in multiple domains, there is a
problem
> ---- Not
> supported
> ---If the same userid in different domains but different
user,
> resolve
> - Need to support PW change on any IPA server
> - Need to support PW change on an AD server
>
> 5. Failover
> - Support for failover AD DC
> - Support for failover IPA
>
> 6. Install and Packaging
> - Separate install of synch tool
> - Preconfigured synch tool with easy to point to IPA and AD
> - Predefined
> - Requires passsynch on domain controllers
> - Proposal 1: Requires password to only change on AD.
> Probably not ok.
> - Proposal 2: Make changes to IPA to hand PW to AD
>
> 7. Groups.
> Allow four options that an administrator can choose between:
> - One option: Synchronize all users from AD into one IPA
group
> - Second option: Synchronize all users according to filter
> defined in #3
> above and bring along all of their groups and keep their
> memberships in
> them.
> - Third option: No group synch at all
> - Fourth option: No support for nested groups
>
> Best regards,
> Karl
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 06 Jun 2008 13:38:50 -0600
> From: Rich Megginson <rmeggins redhat com> To: kwirth redhat com <mailto:kwirth redhat com> <mailto:freeipa-devel redhat com>, freeipa-interest redhat com
> Subject: Re: [Freeipa-devel] AD and freeIPA synch
<mailto:freeipa-interest redhat com> <mailto:4849924A 40303 redhat com>>> > Freeipa-devel redhat com <mailto:Freeipa-devel redhat com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Karl Wirth wrote:
> > Hello,
> >
> > Many organizations have given feedback that they want to
> make sure that
> > freeIPA can synch with AD. We want to provide more than
> what is
> > available in the winsynch that is in fedora directory
> server. Here are
> > my thoughts on what the features should be in this area. I
> would love
> > your feedback. Does this sound right? What is missing?
> Longerterm, we
> > hope to enable kerberos trust between AD and IPA but even
> then some
> > folks will want synch as well. Thoughts?
> >
> > AD and freeIPA synch requirements ---proposal for your
> review and feedback
> >
> > 1. Keep password in AD same as PW in IPA
> > - If changed in AD, bring change over to IPA
> > - If changed in IPA, bring change over to AD
> >
> One problem with this is password policy - min length,
> complexity,
> history, etc. How to sync password policy between IPA
and AD?
> > 2. Synch userid and attributes
> > - Configurable which attributes
> > - If full posix available then make this available
> > - Configurable translation between attributes (i.e
transform
> data such
> > as middle name length or whatever)
> > - Configurable mapping between attribute names
> > - Generate attributes if not present in AD with flexible
> rules for doing
> > this and vice versa
> >
> > 3. Which subsets of users to keep in synch
> > - Make it possible to define which AD/IPA users should be
> kept in synch
> >
> > 4. Topology
> > - Password synch is only supported with 1 AD domain. Not
> multiple.
> > - Identity/attribute synch is supported across multiple
> domains.
> > ---If the same user is in multiple domains, there is a
> problem ---- Not
> > supported
> > ---If the same userid in different domains but different
> user, resolve
> > - Need to support PW change on any IPA server
> > - Need to support PW change on an AD server
> >
> Support for uni-directional sync - many Fedora DS users have
> asked for
> the ability to sync changes only from Fedora DS to AD, or
vice
> versa,
> but not both ways. Or perhaps uni-directional for passwords
> (due to
> password policy) and bi-di for other data.
> > 5. Failover
> > - Support for failover AD DC
> > - Support for failover IPA
> >
> > 6. Install and Packaging
> > - Separate install of synch tool
> > - Preconfigured synch tool with easy to point to IPA and AD
> > - Predefined
> > - Requires passsynch on domain controllers
> > - Proposal 1: Requires password to only change on AD.
> Probably not ok.
> > - Proposal 2: Make changes to IPA to hand PW to AD
> >
> > 7. Groups.
> > Allow four options that an administrator can choose
between:
> > - One option: Synchronize all users from AD into one IPA
> group
> > - Second option: Synchronize all users according to filter
> defined in #3
> > above and bring along all of their groups and keep their
> memberships in
> > them.
> > - Third option: No group synch at all
> > - Fourth option: No support for nested groups
> >
> Support for AD memberOf (if not already fully supported by
> ipa-memberof).
> > Best regards,
> > Karl
> >
> > _______________________________________________
> > Freeipa-devel mailing list> Freeipa-devel redhat com <mailto:Freeipa-devel redhat com>
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> >
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3245 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://www.redhat.com/archives/freeipa-devel/attachments/20080606/ac471bda/smime.bin
>
> ------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list> Freeipa-devel redhat com <mailto:Freeipa-devel redhat com> ------------------------------------------------------------------------
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> End of Freeipa-devel Digest, Vol 13, Issue 11
> *********************************************
>
> _______________________________________________
> Freeipa-devel mailing list
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel redhat com
https://www.redhat.com/mailman/listinfo/freeipa-devel