[Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33

Mark Christiansen mchristi at u.washington.edu
Mon May 19 22:44:37 UTC 2008 

Hello Dmitri,

I filed a bug (447440) for the documentation recommendation.  I also filed a
2nd bug (447445) to fix the link to Microsoft's web page for Kerberos
Authentication help, which is currently giving a "Content not found" page.

If I do a kinit on a Windows machine (which most of the potential end users
will likely use), I get the error:
kinit(v5): Cannot resolve network address for KDC in realm ___  while
getting initial credentials

I also added the realm to the about:config page for Mozilla, and added the
site as a trusted site within IE.  However, for IE I have it so that the
page prompts for user name and password, but it doesn't prompt me, gives me
a certificate error, and even if I continue with the bad certificate, the
page comes up with nothing.

Just to understand this better, but once either firefox or IE is configured
properly, the web page should allow an end user to get a ticket, right?  I
am hoping that command line use will not be necessary.

Thanks for your help and suggestions!

-Mark

On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal <dpal at redhat.com> wrote:

> Hi Mark,
>
> Thank you for sharing the recommendation with us.
> Can you please log a request into bugzilla?
>
> https://bugzilla.redhat.com
>
> Did you do kinit first?
> Did you add the realm into the FireFox configuration?
>
> Thank you
> Dmitri Pal
>
>
> Mark Christiansen wrote:
>
>> I fixed my problems with ipa* functions by modifying /etc/hosts so that my
>> FQDN entry is first, and the localhost entry is not first.  I am guessing
>> this is where most other people will have their problems.  Can we modify the
>> FAQ to include this recommendation?
>>
>> I am having issues getting access to the web page outside of the machine
>> with freeipa installed.  Should I be able to get a ticket by accessing the
>> web interface?   In both IE and Firefox, I am unable to bring up any pages
>> after getting prompted.  In IE, it is blank, and Firefox I get Kerberos
>> authentication failed.  This is another noob question, but perhaps it will
>> be helpful for the FAQ.  My O'Reilly book on Kerberos is on its way.  :)
>>
>> Thanks!
>>
>> -Mark
>>
>> On Mon, May 19, 2008 at 9:00 AM, <freeipa-devel-request at redhat.com<mailto:
>> freeipa-devel-request at redhat.com>> wrote:
>>
>>    Send Freeipa-devel mailing list submissions to
>>           freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>
>>
>>    To subscribe or unsubscribe via the World Wide Web, visit
>>           https://www.redhat.com/mailman/listinfo/freeipa-devel
>>    or, via email, send a message with subject or body 'help' to
>>           freeipa-devel-request at redhat.com
>>    <mailto:freeipa-devel-request at redhat.com>
>>
>>    You can reach the person managing the list at
>>           freeipa-devel-owner at redhat.com
>>    <mailto:freeipa-devel-owner at redhat.com>
>>
>>    When replying, please edit your Subject line so it is more specific
>>    than "Re: Contents of Freeipa-devel digest..."
>>
>>
>>    Today's Topics:
>>
>>      1. Re: freeIPA + Fedora 9 + xen ,    can't get passed ipa-finduser
>>         admin (Rob Crittenden)
>>
>>
>>    ----------------------------------------------------------------------
>>
>>    Message: 1
>>    Date: Mon, 19 May 2008 11:39:45 -0400
>>    From: Rob Crittenden <rcritten at redhat.com
>>    <mailto:rcritten at redhat.com>>
>>    Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't get
>>           passed ipa-finduser admin
>>    To: Jaakan Shorter <jaakanshorter at gmail.com
>>    <mailto:jaakanshorter at gmail.com>>
>>    Cc: freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com>
>>    Message-ID: <48319F41.7040707 at redhat.com
>>    <mailto:48319F41.7040707 at redhat.com>>
>>    Content-Type: text/plain; charset="iso-8859-1"
>>
>>    Jaakan Shorter wrote:
>>    > here's an update ( I replaced the domain name with test )
>>    > let me know if you need anymore info
>>    >
>>    > ipa-server-install --uninstall
>>    > rm -f /var/kerberos/krb5kdc/kpasswd.keytab
>>    > stopped the kerberos service ( --uninstall switch didn't stop it. I
>>    > thought it should set it back to old state )
>>    > yum update ( 1.0.6 version came out over the weekend for FC-9 )
>>    > rebooted
>>    > ipa-server-install --setup-bind -N
>>
>>    Yes, this should be fixed in the tip.
>>
>>    [ snip ]
>>
>>    > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
>>    krb5kdc[1758](info): set up 4 sockets
>>    > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
>>    krb5kdc[1759](info): commencing operation
>>    > May 19 09:32:02 freeIPA.test.net <http://freeIPA.test.net>
>>    krb5kdc[1759](info): AS_REQ (7 etypes
>>    > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>:
>>    NEEDED_PREAUTH: admin at TEST.NET <mailto:admin at TEST.NET> for
>>    > krbtgt/TEST.NET <http://TEST.NET>@TEST.NET <http://TEST.NET>,
>>    Additional pre-authentication required
>>    > May 19 09:32:24 freeIPA.test.net <http://freeIPA.test.net>
>>    krb5kdc[1759](info): AS_REQ (7 etypes
>>    > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>: ISSUE:
>>    authtime 1211203944, etypes
>>    > {rep=18 tkt=18 ses=18}, admin at TEST.NET <mailto:admin at TEST.NET>
>>    for krbtgt/TEST.NET <http://TEST.NET>@TEST.NET <http://TEST.NET>
>>    > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
>>    krb5kdc[1759](info): TGS_REQ (7
>>    > etypes {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>:
>>    UNKNOWN_SERVER: authtime
>>    > 1211203944,  admin at TEST.NET <mailto:admin at TEST.NET> for
>>    HTTP/freeipa.test.net <http://freeipa.test.net>@TEST.NET
>>    <http://TEST.NET>, Server
>>    > not found in Kerberos database
>>    > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
>>    krb5kdc[1759](info): TGS_REQ (7
>>    > etypes {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>:
>>    UNKNOWN_SERVER: authtime
>>    > 1211203944,  admin at TEST.NET <mailto:admin at TEST.NET> for
>>    HTTP/freeipa.test.net <http://freeipa.test.net>@TEST.NET
>>    <http://TEST.NET>, Server
>>    > not found in Kerberos database
>>
>>    Service principals are created for the IPA servers at install time.
>>    There must be some (perhaps subtle) difference in what was created at
>>    install time and what it is trying to use.
>>
>>    Try this command to see what service principals exist:
>>
>>    $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"
>>    objectclass=krbPrincipalAux dn
>>
>>    rob
>>    -------------- next part --------------
>>    A non-text attachment was scrubbed...
>>    Name: smime.p7s
>>    Type: application/x-pkcs7-signature
>>    Size: 3245 bytes
>>    Desc: S/MIME Cryptographic Signature
>>    Url :
>>
>> https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin
>>
>>    ------------------------------
>>
>>    _______________________________________________
>>    Freeipa-devel mailing list
>>    Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>>    https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>    End of Freeipa-devel Digest, Vol 12, Issue 33
>>    *********************************************
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>
>
> --
> Dmitri Pal
> Engineering Manager
> Red Hat Inc.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080519/18008a5b/attachment.htm>

More information about the Freeipa-devel mailing list