Hi,


I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect 
but thats a safari issue Im sure.



After running "kinit admin" I find the kerberos ticket expires about 24 hours 
later so you have to renew?  What you can do if it simply wont work is get IPA 
to fall back to asking for a password, which is what I have had to set for 
Windows 7 firefox users.



It might depend on which version of firefox, 3 and 10 do work......I think RH 
say firefox 10 is the long term supported version for them so I'd run that at 
least.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar [chandank.ku...@gmail.com]
Sent: Tuesday, 15 May 2012 9:25 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup


System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal 
<d...@redhat.com<mailto:d...@redhat.com>> wrote:
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
I am a newbie in IPA and was experimenting it on my couple of VMs before 
considering it for production level.

Installation went fine, however, I am getting the kerberos key expiration error 
at firefox. I am running firefox on the same machine where I have 
installed/configured ipa-server. On googling and some help in IRC I checked 
documentation to trouble shoot it as this appear to be a known problem.

Moreover, I did follow

http://freeipa.org/page/InstallAndDeploy
http://freeipa.org/page/TroubleshootingGuide

Fire fox logs

1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
-1977841888[7fc789f5b040]:   using REQ_DELEGATE
-1977841888[7fc789f5b040]:   service = 
ipaserver.example.com<http://ipaserver.example.com>
-1977841888[7fc789f5b040]:   using negotiate-gss
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
-1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
-1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

[root@ds var]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com<mailto:ad...@example.com>

Valid starting     Expires            Service principal
05/14/12 13:50:32  05/15/12 13:50:30  
krbtgt/example....@example.com<mailto:example....@example.com>
05/14/12 13:53:58  05/15/12 13:50:30  
HTTP/ipaserver.example....@example.com<mailto:ipaserver.example....@example.com>
05/14/12 13:54:13  05/15/12 13:50:30  
ldap/ipaserver.example....@example.com<mailto:ipaserver.example....@example.com>
[root@ds var]#

Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin

at http://fpaste.org/9hXX/

I am not sure what I am missing though. Appreciate any help.

Thanks
Chandan




Are you running FF on windows?
Which version of IPA are you using?




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to