That config gets overwritten on upgrades though. Can freeipa expose this as a knob rather than users modifying config files directly ?
On Wed, Sep 22, 2021 at 10:03 PM Alexander Bokovoy via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On ke, 22 syys 2021, Cutright, Jacob via FreeIPA-users wrote: > >Hello, > > > >I can also confirm this is a normal occurrence on Windows while using > >Chrome and Edge. Firefox, however, does not do this. It is a bit confusing > >for new users of IPA as they will generally treat it as a login prompt, > >although it doesn't do anything for them. I have been curious about this > >prompt, but haven't had a chance to look into it yet. > > This is a bug in Windows browsers based on Chrome engine. It is known > for years and Chrome developers refused to fix it. > > One thing you can do is to follow a recipe in > https://bugzilla.redhat.com/show_bug.cgi?id=1309041 > > ... > <Location "/ipa"> > AuthType GSSAPI > AuthName "Kerberos Login" > BrowserMatch Windows gssapi-no-negotiate > ... > > > Perhaps, we need to finally add this line to the default IPA > configuration as per https://pagure.io/freeipa/issue/5614 > > > > > > >On Wed, Sep 22, 2021, 3:51 PM Sam Morris via FreeIPA-users < > >freeipa-users@lists.fedorahosted.org> wrote: > > > >> > Florence Renaud via FreeIPA-users wrote: > >> > IIRC some browsers, notably on Windows, when the initial GSSAPI > >> > handshake fails because there is no ticket, may either throw an error > >> > because they are trying NTLM auth or don't understand the basic > fallback. > >> > > >> > What browser(s) are you seeing the issue on? > >> > >> I see this on Windows 10 Home with Chrome 93.0.4577.82 (and older > >> versions). > >> > >> I get two login prompts - the first is caused by a POST to > >> /ipa/session/json resulting in a 401. > >> > >> The second is caused by a GET for /ipa/session/login_kerberos?_=<some > >> timestamp>. > >> > >> Both responses have the WWW-Authenticate: Negotiate header. > >> > >> I happen to have MIT Kerberos for Windows installed--that may or may not > >> be relevant. I've not (as far as I remember) configured Chrome to try to > >> use SPNEGO to talk to my IPA servers so this may not be relevant. > >> > >> -- > >> Sam Morris <https://robots.org.uk/> > >> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >> Do not reply to spam on the list, report it: > >> https://pagure.io/fedora-infrastructure > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure