I was just thinking it's very unlikely the university would block http
connections from inside, but not ssh from outside. but I'll contact our ITS
BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps
There may be some steps that are obvious to people know these things and they
are not listed in the document, then I could have missed them.
> From: Rob Crittenden <rcrit...@redhat.com>
>To: george he <george_...@yahoo.com>
>Cc: Petr Viktorin <pvikt...@redhat.com>; "firstname.lastname@example.org"
>Sent: Monday, June 18, 2012 1:28 PM
>Subject: Re: [Freeipa-users] is not an IPA v2 Server.
>george he wrote:
>> Hello Rob,
>> Yes, I did the configuration earlier today. And I did kinit too.
>> It seems the web UI loads really slowly - the circular thing can turn
>> for minutes. So maybe I wasn't patient enough to let the page load.
>that can be slow. Otherwise it should be relatively quick. Not minutes
>> I can ssh to the server and the client from my home, so I don't think
>> there's another firewall blocking the connection.
>Different ports and that isn't the client talking to the server, it is
>you talking to the client and to the server. This is definitely some
>sort of networking problem, though "no route to host" is rather odd
>since you can ping. You might also look at the iptables configuration on
>> *From:* Rob Crittenden <rcrit...@redhat.com>
>> *To:* george he <george_...@yahoo.com>
>> *Cc:* Petr Viktorin <pvikt...@redhat.com>;
>> "email@example.com" <firstname.lastname@example.org>
>> *Sent:* Monday, June 18, 2012 11:51 AM
>> *Subject:* Re: [Freeipa-users] is not an IPA v2 Server.
>> george he wrote:
>> > Hello all,
>> > Here is some other information.
>> > I'm setting this up for a lab in a university. The university has its
>> > own kerberos server (and DNS server, which I use).
>> > I'm not sure whether anybody has set a kerberos server for the
>> > department, or some other labs used the department sub-domain.
>> > But I'm sure the realm name is unique.
>> > When I open the web UI on the server (firefox 13.0), I almost
>> always get
>> > this error:
>> > Your Kerberos ticket is no longer valid. Please run kinit and
>> then click
>> > 'Retry'. If this is your first time running the IPA Web UI follow
>> > directions
>> <https://cns2.psych.yale.edu/ipa/config/unauthorized.html> to
>> > configure your browser.
>> > Or you can use form-based authentication
>> > <https://cns2.psych.yale.edu/ipa/ui/#>.
>> > but I can use the form based authentication sometimes, not always.
>> You need to configure the browser to do Kerberos single sign-on.
>> There should be a link in the failure message to take you to a page
>> to help you configure this. You also need to have done a kinit.
>> I'm not sure why forms-based auth work work only sometimes,
>> additional details would be needed.
>> I'm not sure why the server would be pingable from your client but
>> HTTP doesn't work. There may be another firewall blocking the
>> packets on your network.
Freeipa-users mailing list