On 03/29/2015 10:56 PM, Matt . wrote:
Hi,
I just tot home and typing from my cell so i'm suite short in words
Create keytab for ldap-01.domain
Kinit with that to ldap.domain
Curl against ldap.domain
Get a 301 which I manage from curl (goes well)
Get kerberos ticket error
now I don't kinit anymore so re-use my existing ticket and curl
against ldap-01.domain and I'm accepted and can execute stuff.
My ssl is OK, ticket also it seems.
Hard to say without the logs what is going on. However here is a thought:
If it is trying to get another ticket it might think that the service is
in a different domain.
Client libraries have a feature to detect which ticket to use depending
on the realm the resource belongs to.
May be it is thinking that it is a different realm and thus does not use
the ticket it has.
Thanks M.
Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <d...@redhat.com
<mailto:d...@redhat.com>>:
On 03/29/2015 04:47 AM, Matt . wrote:
Hi Guys,
Now my Certification issues are solved for using a loadbalancer in
front of my ipa servers I get the following:
Unable to verify your Kerberos credentials
and in my logs:
Additional pre-authentication required.
This happens when I connect throught my loadbalancers, I see
my server
coming ni with the right IP.
When I access my ipa server directly, not using the
loadbalancer IP
between it, my kerberos Ticket is valid.
I get the feeling that when I use my loadbalancers and because
of that
I get a 301 redirect it needs a preauth. I see some issues on
mailinglists but it doesn't fit my situation.
Why wants it the preauth when I already have a valid ticket and my
redirect is followed by CURL and posted the right way ?
Can you describe the sequence?
What do you do?
From the client you try IPA CLI and this is where you see the
problem even with the valid ticket or is the flow different?
I hope someone has an idea.
Thanks,
Matt
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project