[Freeipa-devel] Re: Freeipa-devel Digest, Vol 12, Issue 33
Mark Christiansen
mwchristiansen at gmail.com
Thu May 22 18:27:08 UTC 2008
Hello Rob,
I tried both the Windows command line and the MIT client. Currently, with
the MIT client I get the error: Cannot resolve network address for KDC in
requested realm.
I tried to troubleshoot via the help pages, but I was unable to get past
this problem. On the local machine, I can get a ticket via the command
line. I am running this in a virtual machine, and I have disabled SELinux
and iptables so I don't know if something else could be restricting
communication.
Thanks for your help!
-Mark
On Mon, May 19, 2008 at 6:57 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Mark Christiansen wrote:
>
>> Hello Dmitri,
>>
>> I filed a bug (447440) for the documentation recommendation. I also filed
>> a 2nd bug (447445) to fix the link to Microsoft's web page for Kerberos
>> Authentication help, which is currently giving a "Content not found" page.
>>
>> If I do a kinit on a Windows machine (which most of the potential end
>> users will likely use), I get the error:
>> kinit(v5): Cannot resolve network address for KDC in realm ___ while
>> getting initial credentials
>>
>
> Are you using the native Microsoft kerberos client or the MIT client? I
> don't believe IPA will interoperate with the native windows client.
>
> I also added the realm to the about:config page for Mozilla, and added the
>> site as a trusted site within IE. However, for IE I have it so that the
>> page prompts for user name and password, but it doesn't prompt me, gives me
>> a certificate error, and even if I continue with the bad certificate, the
>> page comes up with nothing.
>> Just to understand this better, but once either firefox or IE is
>> configured properly, the web page should allow an end user to get a ticket,
>> right? I am hoping that command line use will not be necessary.
>>
>
> You have to get the ticket before Firefox or IE will work. Firefox/IE, if
> properly configured, will be able to present the ticket as your credentials
> so you don't have to type a username/password in to authenticate.
>
> rob
>
>
>> Thanks for your help and suggestions!
>>
>> -Mark
>>
>> On Mon, May 19, 2008 at 12:41 PM, Dmitri Pal <dpal at redhat.com <mailto:
>> dpal at redhat.com>> wrote:
>>
>> Hi Mark,
>>
>> Thank you for sharing the recommendation with us.
>> Can you please log a request into bugzilla?
>>
>> https://bugzilla.redhat.com
>>
>> Did you do kinit first?
>> Did you add the realm into the FireFox configuration?
>>
>> Thank you
>> Dmitri Pal
>>
>>
>> Mark Christiansen wrote:
>>
>> I fixed my problems with ipa* functions by modifying /etc/hosts
>> so that my FQDN entry is first, and the localhost entry is not
>> first. I am guessing this is where most other people will have
>> their problems. Can we modify the FAQ to include this
>> recommendation?
>>
>> I am having issues getting access to the web page outside of the
>> machine with freeipa installed. Should I be able to get a
>> ticket by accessing the web interface? In both IE and Firefox,
>> I am unable to bring up any pages after getting prompted. In
>> IE, it is blank, and Firefox I get Kerberos authentication
>> failed. This is another noob question, but perhaps it will be
>> helpful for the FAQ. My O'Reilly book on Kerberos is on its
>> way. :)
>>
>> Thanks!
>>
>> -Mark
>>
>> On Mon, May 19, 2008 at 9:00 AM,
>> <freeipa-devel-request at redhat.com
>> <mailto:freeipa-devel-request at redhat.com>
>> <mailto:freeipa-devel-request at redhat.com
>> <mailto:freeipa-devel-request at redhat.com>>> wrote:
>>
>> Send Freeipa-devel mailing list submissions to
>> freeipa-devel at redhat.com
>> <mailto:freeipa-devel at redhat.com>
>> <mailto:freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com
>> >>
>>
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> or, via email, send a message with subject or body 'help' to
>> freeipa-devel-request at redhat.com
>> <mailto:freeipa-devel-request at redhat.com>
>> <mailto:freeipa-devel-request at redhat.com
>> <mailto:freeipa-devel-request at redhat.com>>
>>
>>
>> You can reach the person managing the list at
>> freeipa-devel-owner at redhat.com
>> <mailto:freeipa-devel-owner at redhat.com>
>> <mailto:freeipa-devel-owner at redhat.com
>> <mailto:freeipa-devel-owner at redhat.com>>
>>
>>
>> When replying, please edit your Subject line so it is more
>> specific
>> than "Re: Contents of Freeipa-devel digest..."
>>
>>
>> Today's Topics:
>>
>> 1. Re: freeIPA + Fedora 9 + xen , can't get passed
>> ipa-finduser
>> admin (Rob Crittenden)
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 19 May 2008 11:39:45 -0400
>> From: Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>
>> <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>>
>>
>> Subject: Re: [Freeipa-devel] freeIPA + Fedora 9 + xen , can't
>> get
>> passed ipa-finduser admin
>> To: Jaakan Shorter <jaakanshorter at gmail.com
>> <mailto:jaakanshorter at gmail.com>
>> <mailto:jaakanshorter at gmail.com
>> <mailto:jaakanshorter at gmail.com>>>
>> Cc: freeipa-devel at redhat.com
>> <mailto:freeipa-devel at redhat.com>
>> <mailto:freeipa-devel at redhat.com <mailto:freeipa-devel at redhat.com
>> >>
>>
>>
>> Message-ID: <48319F41.7040707 at redhat.com
>> <mailto:48319F41.7040707 at redhat.com>
>> <mailto:48319F41.7040707 at redhat.com
>> <mailto:48319F41.7040707 at redhat.com>>>
>>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Jaakan Shorter wrote:
>> > here's an update ( I replaced the domain name with test )
>> > let me know if you need anymore info
>> >
>> > ipa-server-install --uninstall
>> > rm -f /var/kerberos/krb5kdc/kpasswd.keytab
>> > stopped the kerberos service ( --uninstall switch didn't
>> stop it. I
>> > thought it should set it back to old state )
>> > yum update ( 1.0.6 version came out over the weekend for FC-9
>> )
>> > rebooted
>> > ipa-server-install --setup-bind -N
>>
>> Yes, this should be fixed in the tip.
>>
>> [ snip ]
>>
>> > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
>> <http://freeIPA.test.net>
>>
>> krb5kdc[1758](info): set up 4 sockets
>> > May 19 09:31:08 freeIPA.test.net <http://freeIPA.test.net>
>> <http://freeIPA.test.net>
>>
>> krb5kdc[1759](info): commencing operation
>> > May 19 09:32:02 freeIPA.test.net <http://freeIPA.test.net>
>> <http://freeIPA.test.net>
>>
>> krb5kdc[1759](info): AS_REQ (7 etypes
>> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>
>> <http://192.168.1.25>:
>> NEEDED_PREAUTH: admin at TEST.NET <mailto:admin at TEST.NET>
>> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
>> > krbtgt/TEST.NET <http://TEST.NET>
>> <http://TEST.NET>@TEST.NET <http://TEST.NET> <http://TEST.NET>,
>> Additional pre-authentication required
>> > May 19 09:32:24 freeIPA.test.net <http://freeIPA.test.net>
>> <http://freeIPA.test.net>
>>
>> krb5kdc[1759](info): AS_REQ (7 etypes
>> > {18 17 16 23 1 3 2}) 192.168.1.25 <http://192.168.1.25>
>> <http://192.168.1.25>: ISSUE:
>> authtime 1211203944, etypes
>> > {rep=18 tkt=18 ses=18}, admin at TEST.NET
>> <mailto:admin at TEST.NET> <mailto:admin at TEST.NET
>> <mailto:admin at TEST.NET>>
>> for krbtgt/TEST.NET <http://TEST.NET>
>> <http://TEST.NET>@TEST.NET <http://TEST.NET> <http://TEST.NET>
>> > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
>> <http://freeIPA.test.net>
>>
>> krb5kdc[1759](info): TGS_REQ (7
>> > etypes {18 17 16 23 1 3 2}) 192.168.1.25
>> <http://192.168.1.25> <http://192.168.1.25>:
>> UNKNOWN_SERVER: authtime
>> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET>
>> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
>> HTTP/freeipa.test.net <http://freeipa.test.net>
>> <http://freeipa.test.net>@TEST.NET <http://TEST.NET>
>> <http://TEST.NET>, Server
>>
>> > not found in Kerberos database
>> > May 19 09:32:54 freeIPA.test.net <http://freeIPA.test.net>
>> <http://freeIPA.test.net>
>>
>> krb5kdc[1759](info): TGS_REQ (7
>> > etypes {18 17 16 23 1 3 2}) 192.168.1.25
>> <http://192.168.1.25> <http://192.168.1.25>:
>> UNKNOWN_SERVER: authtime
>> > 1211203944, admin at TEST.NET <mailto:admin at TEST.NET>
>> <mailto:admin at TEST.NET <mailto:admin at TEST.NET>> for
>> HTTP/freeipa.test.net <http://freeipa.test.net>
>> <http://freeipa.test.net>@TEST.NET <http://TEST.NET>
>> <http://TEST.NET>, Server
>>
>> > not found in Kerberos database
>>
>> Service principals are created for the IPA servers at install
>> time.
>> There must be some (perhaps subtle) difference in what was
>> created at
>> install time and what it is trying to use.
>>
>> Try this command to see what service principals exist:
>>
>> $ ldapsearch -LLL -x -b "cn=kerberos,dc=test,dc=net"
>> objectclass=krbPrincipalAux dn
>>
>> rob
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/x-pkcs7-signature
>> Size: 3245 bytes
>> Desc: S/MIME Cryptographic Signature
>> Url :
>>
>> https://www.redhat.com/archives/freeipa-devel/attachments/20080519/db294115/smime.bin
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080522/302f648b/attachment.htm>
More information about the Freeipa-devel
mailing list