Hi Rob,
I was just thinking it's very unlikely the university would block http 
connections from inside, but not ssh from outside. but I'll contact our ITS 
BTW, I am new to this LDAP and Kerberos thing, and I just followed the steps 
outlined here 
There may be some steps that are obvious to people know these things and they 
are not listed in the document, then I could have missed them.

> From: Rob Crittenden <rcrit...@redhat.com>
>To: george he <george_...@yahoo.com> 
>Cc: Petr Viktorin <pvikt...@redhat.com>; "freeipa-users@redhat.com" 
>Sent: Monday, June 18, 2012 1:28 PM
>Subject: Re: [Freeipa-users] is not an IPA v2 Server.
>george he wrote:
>> Hello Rob,
>> Yes, I did the configuration earlier today. And I did kinit too.
>> It seems the web UI loads really slowly - the circular thing can turn
>> for minutes. So maybe I wasn't patient enough to let the page load.
>A fair bit of javascript is loaded the very first time you visit IPA, 
>that can be slow. Otherwise it should be relatively quick. Not minutes 
>> I can ssh to the server and the client from my home, so I don't think
>> there's another firewall blocking the connection.
>Different ports and that isn't the client talking to the server, it is 
>you talking to the client and to the server. This is definitely some 
>sort of networking problem, though "no route to host" is rather odd 
>since you can ping. You might also look at the iptables configuration on 
>the client.
>> Thanks,
>> George
>>     ------------------------------------------------------------------------
>>     *From:* Rob Crittenden <rcrit...@redhat.com>
>>     *To:* george he <george_...@yahoo.com>
>>     *Cc:* Petr Viktorin <pvikt...@redhat.com>;
>>     "freeipa-users@redhat.com" <freeipa-users@redhat.com>
>>     *Sent:* Monday, June 18, 2012 11:51 AM
>>     *Subject:* Re: [Freeipa-users] is not an IPA v2 Server.
>>     george he wrote:
>>      > Hello all,
>>      >
>>      > Here is some other information.
>>      > I'm setting this up for a lab in a university. The university has its
>>      > own kerberos server (and DNS server, which I use).
>>      > I'm not sure whether anybody has set a kerberos server for the
>>      > department, or some other labs used the department sub-domain.
>>      > But I'm sure the realm name is unique.
>>      >
>>      > When I open the web UI on the server (firefox 13.0), I almost
>>     always get
>>      > this error:
>>      > Your Kerberos ticket is no longer valid. Please run kinit and
>>     then click
>>      > 'Retry'. If this is your first time running the IPA Web UI follow
>>     these
>>      > directions
>>     <https://cns2.psych.yale.edu/ipa/config/unauthorized.html> to
>>      > configure your browser.
>>      > Or you can use form-based authentication
>>      > <https://cns2.psych.yale.edu/ipa/ui/#>.
>>      > but I can use the form based authentication sometimes, not always.
>>     You need to configure the browser to do Kerberos single sign-on.
>>     There should be a link in the failure message to take you to a page
>>     to help you configure this. You also need to have done a kinit.
>>     I'm not sure why forms-based auth work work only sometimes,
>>     additional details would be needed.
>>     I'm not sure why the server would be pingable from your client but
>>     HTTP doesn't work. There may be another firewall blocking the
>>     packets on your network.
>>     rob
Freeipa-users mailing list

Reply via email to