Dale Macartney wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 25/06/12 22:37, Rob Crittenden wrote:
Dale Macartney wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 25/06/12 19:53, Rob Crittenden wrote:
Dale Macartney wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

I have a RHEL 6.2 ipa domain and I am running through one of my known
working kickstarts for kerberised squid but instead of using RHEL i'm
setting it up on Fedora 17.

I get the following error on the fedora system which has
freeipa-admintools installed

[root@proxy02 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting Expires Service principal
06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example....@example.com
[root@proxy02 ~]# ipa service-add HTTP/$(hostname)
ipa: ERROR: did not receive Kerberos credentials
[root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com
ipa: ERROR: did not receive Kerberos credentials
[root@proxy02 ~]#



Nothing appears in the logs apart from

==> /var/log/messages<==
Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found
Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230
winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found


Any ideas?

This doesn't block me from what I am trying to achieve as I can add the
service principle from the IPA server. Just thought I might ask the
question.

What version of client and server?

rob

Server details

[root@ds01 ~]# yum info ipa-server
Loaded plugins: product-id, security, subscription-manager
Updating certificate-based repositories.
Installed Packages
Name : ipa-server
Arch : x86_64
Version : 2.1.3
Release : 9.el6
Size : 3.2 M
Repo : installed
- From repo : Red Hat Enterprise Linux
Summary : The IPA authentication server
URL : http://www.freeipa.org/
License : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If you are installing an IPA
server you need
: to install this package (in other words, most people
should NOT install
: this package).


Client details

[root@proxy02 ~]# yum info freeipa-client
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
Name : freeipa-client
Arch : x86_64
Version : 2.2.0
Release : 1.fc17
Size : 239 k
Repo : installed
- From repo : fedora
Summary : IPA authentication for use on clients
URL : http://www.freeipa.org/
Licence : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). If your network uses IPA for
authentication,
: this package should be installed on every client machine.

[root@proxy02 ~]# yum info freeipa-admintools
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
Name : freeipa-admintools
Arch : x86_64
Version : 2.2.0
Release : 1.fc17
Size : 43 k
Repo : installed
- From repo : fedora
Summary : IPA administrative tools
URL : http://www.freeipa.org/
Licence : GPLv3+
Description : IPA is an integrated solution to provide centrally managed
Identity (machine,
: user, virtual machines, groups, authentication
credentials), Policy
: (configuration settings, access control information) and
Audit (events,
: logs, analysis thereof). This package provides
command-line tools for
: IPA administrators.

[root@proxy02 ~]#

Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy
so sending the TGT is no longer required as it was pre 2.2.

# ipa --delegate service-add HTTP/$(hostname)

rob

ah.. good to know. thanks for the info.

it does get past the tgt aspect, now its just a version conflict. may or
may not be a work around for that.

[root@proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com
ipa: ERROR: 2.34 client incompatible with 2.13 server at
u'https://ds01.example.com/ipa/xml'

Oh, right, sorry I didn't mention this yesterday. You can generally talk with an older client with a newer server, but not the other way around. We don't have per-command versioning (yet), which would make this possible.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to