On Fri, 2015-02-20 at 11:44 +0100, Gianluca Cecchi wrote: > On Fri, Feb 20, 2015 at 10:53 AM, Petr Vobornik <pvobo...@redhat.com> wrote: > > > On 02/20/2015 09:44 AM, Martin Kosek wrote: > > > >> On 02/20/2015 02:00 AM, Dan Mossor wrote: > >> > >>> I just installed a new server on Fedora 21 Server, using the rolekit > >>> deployment > >>> tool. Everything was installed and configured (I hope) properly, but I'm > >>> running into a problem. The version is > >>> freeipa-server-4.1.2-1.fc21.x86_64, and > >>> I can connect to the WebUI only after a restart of ipa.service. > >>> > >> > Hello > I actually have quite similar problems in CentOS 7 too, > with ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64 and related packages > SO the same behavior that if I restart ipa service I'm able to connect > (thanks btw, I didn't realize that, having big problems using the WebUI) > and that my errors are of this type > > [Fri Feb 20 10:32:15.850834 2015] [auth_kerb:error] [pid 2029] [client > 192.168.1.128:50147] gss_accept_sec_context() failed: An unsupported > mechanism was requested (, Unknown error), referer: > https://c7server.localdomain.local/ipa/ui/ > [Fri Feb 20 10:32:22.670791 2015] [auth_kerb:error] [pid 15793] [client > 192.168.1.128:50150] krb5_get_init_creds_password() failed: Decrypt > integrity check failed, referer: https://c7server.localdomain.local/ipa/ui/ > > This happens both from an external browser (I enabled form authentication) > and from a firefox session launched from the ipa server itself after > configuring it for kerberos. > > I don't want to mess with this thread so let me know if I have to open a > dedicated thread specifying for example CentOS 7 or you think it is ok to > get in here... so that I paste here other relevant info.
This is a completely different problem, it just means you do not have appropriate tickets in your browser, which then probably prroceeds trying to use the IAKERB mechanism, and fails. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project