Re: [Freeipa-users] Additional pre-authentication required, Ticket Wrong ?

[Dmitri Pal]

On 03/29/2015 10:56 PM, Matt . wrote:

Hi,

I just tot home and typing from my cell so i'm suite short in words

Create keytab for ldap-01.domain
Kinit with that to ldap.domain
Curl against ldap.domain
Get a 301 which I manage from curl (goes well)
Get kerberos ticket error

now I don't kinit anymore so re-use my existing ticket and curl 
against ldap-01.domain and I'm accepted and can execute stuff.

My ssl is OK, ticket also it seems.


Hard to say without the logs what is going on. However here is a thought:
If it is trying to get another ticket it might think that the service is 
in a different domain.
Client libraries have a feature to detect which ticket to use depending 
on the realm the resource belongs to.
May be it is thinking that it is a different realm and thus does not use 
the ticket it has.



Thanks M.

Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <d...@redhat.com 
<mailto:d...@redhat.com>>:

    On 03/29/2015 04:47 AM, Matt . wrote:

        Hi Guys,

        Now my Certification issues are solved for using a loadbalancer in
        front of my ipa servers I get the following:

        Unable to verify your Kerberos credentials

        and in my logs:

        Additional pre-authentication required.

        This happens when I connect throught my loadbalancers, I see
        my server
        coming ni with the right IP.

        When I access my ipa server directly, not using the
        loadbalancer IP
        between it, my kerberos Ticket is valid.

        I get the feeling that when I use my loadbalancers and because
        of that
        I get a 301 redirect it needs a preauth. I see some issues on
        mailinglists but it doesn't fit my situation.

        Why wants it the preauth when I already have a valid ticket and my
        redirect is followed by CURL and posted the right way ?


    Can you describe the sequence?
    What do you do?

    From the client you try IPA CLI and this is where you see the
    problem even with the valid ticket or is the flow different?

        I hope someone has an idea.

        Thanks,

        Matt



    -- 
    Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.

    -- 
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go to http://freeipa.org for more info on the project



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project