[Freeipa-users] Help regarding Basic FreeIPA setup
Dmitri Pal
dpal at redhat.com
Mon May 14 23:11:06 UTC 2012
On 05/14/2012 05:25 PM, Chandan Kumar wrote:
>
> System: Centos 6.2
> IPA version : ipa-server-2.1.3-9.el6.x86_64
>
>
> Thanks
> Chandan
>
>
I am not sure but seems like something is not properly configured with
the browser.
I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow
on a working configuration.
But I will defer to experts.
>
>
>
> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>> I am a newbie in IPA and was experimenting it on my couple of VMs
>> before considering it for production level.
>>
>> Installation went fine, however, I am getting the kerberos key
>> expiration error at firefox. I am running firefox on the same
>> machine where I have installed/configured ipa-server. On googling
>> and some help in IRC I checked documentation to trouble shoot it
>> as this appear to be a known problem.
>>
>> Moreover, I did follow
>>
>> http://freeipa.org/page/InstallAndDeploy
>> http://freeipa.org/page/TroubleshootingGuide
>>
>> Fire fox logs
>>
>> 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>> -1977841888[7fc789f5b040]: using REQ_DELEGATE
>> -1977841888[7fc789f5b040]: service = ipaserver.example.com
>> <http://ipaserver.example.com>
>> -1977841888[7fc789f5b040]: using negotiate-gss
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>> -1977841888[7fc789f5b040]:
>> nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed:
>> Unspecified GSS failure. Minor code may provide more information
>> SPNEGO cannot find mechanisms to negotiate
>> -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>> [root at ds var]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: admin at EXAMPLE.COM <mailto:admin at EXAMPLE.COM>
>>
>> Valid starting Expires Service principal
>> 05/14/12 13:50:32 05/15/12 13:50:30
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>
>> 05/14/12 13:53:58 05/15/12 13:50:30
>> HTTP/ipaserver.example.com at EXAMPLE.COM
>> <mailto:ipaserver.example.com at EXAMPLE.COM>
>> 05/14/12 13:54:13 05/15/12 13:50:30
>> ldap/ipaserver.example.com at EXAMPLE.COM
>> <mailto:ipaserver.example.com at EXAMPLE.COM>
>> [root at ds var]#
>>
>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>
>> at http://fpaste.org/9hXX/
>>
>> I am not sure what I am missing though. Appreciate any help.
>>
>> Thanks
>> Chandan
>>
>>
>>
>
> Are you running FF on windows?
> Which version of IPA are you using?
>
>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120514/9a039699/attachment.htm>
More information about the Freeipa-users
mailing list