-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/23/2012 11:58 AM, Rob Crittenden wrote: > Nathan Lager wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> >> On 04/20/2012 02:26 PM, Rob Crittenden wrote: >>> Have you configured the browser for Kerberos? >>> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html >>> >>> >>> >>> >>> >>> That error seems to indicate that the domain isn't defined in >>> network.negotiate-auth.trusted-uris >>> >>> regards >>> >>> rob >> >> I've been through the clicky-clicky that ipa's web gui sends you >> through (accepting the certs, and configuring the browser), a >> number of times. I just confirmed the trusted uri's and >> delegation uris. They are both correct, they look like: >> .my.ipa.domain.com >> >> I even tried resetting delegation-uris, and trusted-uri's to the >> default, and then allowing the ipa web gui to re-configure them, >> it hasnt helped. >> >> Thanks for the response. Sorry for the delay in mine. > > Hmm, that is very strange. The code in question in Firefox looks > like: > > bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if > (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI > blocked\n")); return NS_ERROR_ABORT; } > > which seems to be the error you are seeing. It's a shame there > isn't more logging around the uris. > > I see that you had enabled debug logging on the Apache side. Can > you provide some more context on the failed request? > > thanks > > rob Again, sorry for the delay. This is just one in my long list of current projects. Here's the requested log data. Its a tail -f of the access and error logs. Server nanme, and client ip stripped. ==> error_log <== [Fri Apr 27 11:47:04 2012] [info] Connection to child 0 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:04 -0400] "POST /ca/ocsp HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1" ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 0 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [error] [client xxx.xxx.xxx.xxx] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "GET /ipa/ui/develop.js HTTP/1.1" 404 306 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 0 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 6 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [debug] src/mod_auth_kerb.c(1578): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "POST /ipa/json HTTP/1.1" 401 1771 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+awMsACgkQsZqG4IN3sulfnACfWNbbddw5ALIW4J9X+nLrovU+ Lg8AmQExUXpbs8LDPiwN4SMKefjF0KaB =o2KT -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
