subject:"\[Freeipa\-users\] Help regarding Basic FreeIPA setup"

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Steven Jones

Hi,

For me it sounds like you have not configured firefox to use IPA or centos is 
missing a package/rpm. What strikes me as strange is you should get pop ups 
telling/helping you do it.just following them make sit easy.

If you have and it just wont work, I suggest moving to password authentication 
to get you past that problem so you can get on with testing.


regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Chandan Kumar [chandank.ku...@gmail.com]
Sent: Wednesday, 16 May 2012 2:35 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Help regarding Basic FreeIPA setup

Hi,
I am running the default Firefox that comes with centos 6.2 . I guess that  
Whatever time I do kinit it just does not working for me even for single time.

Also it shows as that I am logged in as u...@freeipa.org In the main back 
ground web page. Not sure whether it's relevant with this error.

On Monday, 14 May 2012, Steven Jones wrote:

Hi,



I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect 
but thats a safari issue Im sure.



After running "kinit admin" I find the kerberos ticket expires about 24 hours 
later so you have to renew?  What you can do if it simply wont work is get IPA 
to fall back to asking for a password, which is what I have had to set for 
Windows 7 firefox users.



It might depend on which version of firefox, 3 and 10 do work..I think RH 
say firefox 10 is the long term supported version for them so I'd run that at 
least.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar [chandank.ku...@gmail.com]
Sent: Tuesday, 15 May 2012 9:25 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup


System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
I am a newbie in IPA and was experimenting it on my couple of VMs before 
considering it for production level.

Installation went fine, however, I am getting the kerberos key expiration error 
at firefox. I am running firefox on the same machine where I have 
installed/configured ipa-server. On googling and some help in IRC I checked 
documentation to trouble shoot it as this appear to be a known problem.

Moreover, I did follow

http://freeipa.org/page/InstallAndDeploy
http://freeipa.org/page/TroubleshootingGuide

Fire fox logs

1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
-1977841888[7fc789f5b040]:   using REQ_DELEGATE
-1977841888[7fc789f5b040]:   service = 
ipaserver.example.com<http://ipaserver.example.com>
-1977841888[7fc789f5b040]:   using negotiate-gss
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
-1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
-1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

[root@ds var]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
05/14/12 13:53:58  05/15/12 13:50:30  HTTP/ipaserver.example@example.com
05/14/12 13:54:13  05/15/12 13:50:30  ldap/ipaserver.example@example.com
[root@ds var]#

Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin

at http://fpaste.org/9hXX/

I am not sure what I am missing though. Appreciate any help.

Thanks
Chandan




Are you running FF on windows?
Which version of IPA are you using?




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Sent from my iPad
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Chandan Kumar

The kinit does show that the keys are there.

[root@ipaserver ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com

Valid starting ExpiresService principal
05/15/12 09:13:35  05/16/12 09:13:32  krbtgt/example@example.com




Thanks
Chandan





On Tue, May 15, 2012 at 7:35 AM, Chandan Kumar wrote:

> Hi,
> I am running the default Firefox that comes with centos 6.2 . I guess that
>  Whatever time I do kinit it just does not working for me even for single
> time.
>
> Also it shows as that I am logged in as u...@freeipa.org In the main
> back ground web page. Not sure whether it's relevant with this error.
>
>
> On Monday, 14 May 2012, Steven Jones wrote:
>
>>  Hi,
>>
>>
>>
>> I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont
>> connect but thats a safari issue Im sure.
>>
>>
>>
>> After running "kinit admin" I find the kerberos ticket expires about 24
>> hours later so you have to renew?  What you can do if it simply wont
>> work is get IPA to fall back to asking for a password, which is what I have
>> had to set for Windows 7 firefox users.
>>
>>
>>
>> It might depend on which version of firefox, 3 and 10 do work..I
>> think RH say firefox 10 is the long term supported version for them so I'd
>> run that at least.
>>
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>   --
>> *From:* freeipa-users-boun...@redhat.com [
>> freeipa-users-boun...@redhat.com] on behalf of Chandan Kumar [
>> chandank.ku...@gmail.com]
>> *Sent:* Tuesday, 15 May 2012 9:25 a.m.
>> *To:* d...@redhat.com
>> *Cc:* freeipa-users@redhat.com
>> *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup
>>
>>
>> System: Centos 6.2
>> IPA version : ipa-server-2.1.3-9.el6.x86_64
>>
>>
>> Thanks
>> Chandan
>>
>>
>>
>>
>>
>> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
>>
>>> **
>>>  On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>>>
>>> I am a newbie in IPA and was experimenting it on my couple of VMs before
>>> considering it for production level.
>>>
>>> Installation went fine, however, I am getting the kerberos key
>>> expiration error at firefox. I am running firefox on the same machine where
>>> I have installed/configured ipa-server. On googling and some help in IRC I
>>> checked documentation to trouble shoot it as this appear to be a known
>>> problem.
>>>
>>> Moreover, I did follow
>>>
>>> http://freeipa.org/page/InstallAndDeploy
>>> http://freeipa.org/page/TroubleshootingGuide
>>>
>>> Fire fox logs
>>>
>>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>>> [rv=80004005]
>>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>>> -1977841888[7fc789f5b040]:   using negotiate-gss
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>>> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
>>> [challenge=Negotiate]
>>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified
>>> GSS failure.  Minor code may provide more information
>>> SPNEGO cannot find mechanisms to negotiate
>>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>>> [rv=80004005]
>>>
>>> [root@ds var]# klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: ad...@example.com
>>>
>>> Valid starting ExpiresService principal
>>> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
>>> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
>>> ipaserver.example@example.com
>>> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
>>> ipaserver.example@example.com
>>> [root@ds var]#
>>>
>>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>>
>>> at http://fpaste.org/9hXX/
>>>
>>> I am not sure what I am missing though. Appreciate any help.
>>>
>>> Thanks
>>> Chandan
>>>
>>>
>>>
>>>
>>>  Are you running FF on windows?
>>> Which version of IPA are you using?
>>>
>>>
>>>
>>> ___
>>> Freeipa-users mailing 
>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IPA project,
>>> Red Hat Inc.
>>>
>>>
>>> ---
>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>
>>>
>>> ___
>>> Freeipa-users mailing list
>>> Freeipa-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>
> --
> Sent from my iPad
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Chandan Kumar

Hi,
I am running the default Firefox that comes with centos 6.2 . I guess that
 Whatever time I do kinit it just does not working for me even for single
time.

Also it shows as that I am logged in as u...@freeipa.org In the main
back ground web page. Not sure whether it's relevant with this error.

On Monday, 14 May 2012, Steven Jones wrote:

>  Hi,
>
>
>
> I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont
> connect but thats a safari issue Im sure.
>
>
>
> After running "kinit admin" I find the kerberos ticket expires about 24
> hours later so you have to renew?  What you can do if it simply wont
> work is get IPA to fall back to asking for a password, which is what I have
> had to set for Windows 7 firefox users.
>
>
>
> It might depend on which version of firefox, 3 and 10 do work..I think
> RH say firefox 10 is the long term supported version for them so I'd run
> that at least.
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>   --
> *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com]
> on behalf of Chandan Kumar [chandank.ku...@gmail.com]
> *Sent:* Tuesday, 15 May 2012 9:25 a.m.
> *To:* d...@redhat.com
> *Cc:* freeipa-users@redhat.com
> *Subject:* Re: [Freeipa-users] Help regarding Basic FreeIPA setup
>
>
> System: Centos 6.2
> IPA version : ipa-server-2.1.3-9.el6.x86_64
>
>
> Thanks
> Chandan
>
>
>
>
>
> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:
>
>> **
>>  On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>>
>> I am a newbie in IPA and was experimenting it on my couple of VMs before
>> considering it for production level.
>>
>> Installation went fine, however, I am getting the kerberos key expiration
>> error at firefox. I am running firefox on the same machine where I have
>> installed/configured ipa-server. On googling and some help in IRC I checked
>> documentation to trouble shoot it as this appear to be a known problem.
>>
>> Moreover, I did follow
>>
>> http://freeipa.org/page/InstallAndDeploy
>> http://freeipa.org/page/TroubleshootingGuide
>>
>> Fire fox logs
>>
>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>> -1977841888[7fc789f5b040]:   using negotiate-gss
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
>> [challenge=Negotiate]
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS
>> failure.  Minor code may provide more information
>> SPNEGO cannot find mechanisms to negotiate
>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>> [root@ds var]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@example.com
>>
>> Valid starting ExpiresService principal
>> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
>> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
>> ipaserver.example@example.com
>> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
>> ipaserver.example@example.com
>> [root@ds var]#
>>
>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>
>> at http://fpaste.org/9hXX/
>>
>> I am not sure what I am missing though. Appreciate any help.
>>
>> Thanks
>> Chandan
>>
>>
>>
>>
>>  Are you running FF on windows?
>> Which version of IPA are you using?
>>
>>
>>
>> ___
>> Freeipa-users mailing 
>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IPA project,
>> Red Hat Inc.
>>
>>
>> ---
>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>

-- 
Sent from my iPad
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-15 Thread Simo Sorce

On Mon, 2012-05-14 at 19:11 -0400, Dmitri Pal wrote:
> On 05/14/2012 05:25 PM, Chandan Kumar wrote:
> >
> > System: Centos 6.2
> > IPA version : ipa-server-2.1.3-9.el6.x86_64
> >
> >
> > Thanks
> > Chandan
> >
> >
> 
> I am not sure but seems like something is not properly configured with
> the browser.
> I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow
> on a working configuration.
> But I will defer to experts.
> 
Firefox always uses SPNEGO.
HEre what fails is the init_sec_context, I assume the user does not have
a kerberos ticket, so spengo fails to find valid credentials for any of
the supported mechs and punts.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Steven Jones

Hi,



I have run it on Macosx and RHEL6.2, firefox and chrome, safari wont connect 
but thats a safari issue Im sure.



After running "kinit admin" I find the kerberos ticket expires about 24 hours 
later so you have to renew?  What you can do if it simply wont work is get IPA 
to fall back to asking for a password, which is what I have had to set for 
Windows 7 firefox users.



It might depend on which version of firefox, 3 and 10 do work..I think RH 
say firefox 10 is the long term supported version for them so I'd run that at 
least.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Chandan Kumar [chandank.ku...@gmail.com]
Sent: Tuesday, 15 May 2012 9:25 a.m.
To: d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Help regarding Basic FreeIPA setup


System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal 
mailto:d...@redhat.com>> wrote:
On 05/14/2012 05:09 PM, Chandan Kumar wrote:
I am a newbie in IPA and was experimenting it on my couple of VMs before 
considering it for production level.

Installation went fine, however, I am getting the kerberos key expiration error 
at firefox. I am running firefox on the same machine where I have 
installed/configured ipa-server. On googling and some help in IRC I checked 
documentation to trouble shoot it as this appear to be a known problem.

Moreover, I did follow

http://freeipa.org/page/InstallAndDeploy
http://freeipa.org/page/TroubleshootingGuide

Fire fox logs

1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]
-1977841888[7fc789f5b040]:   using REQ_DELEGATE
-1977841888[7fc789f5b040]:   service = 
ipaserver.example.com<http://ipaserver.example.com>
-1977841888[7fc789f5b040]:   using negotiate-gss
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
-1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials() 
[challenge=Negotiate]
-1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
-1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS 
failure.  Minor code may provide more information
SPNEGO cannot find mechanisms to negotiate
-1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken [rv=80004005]

[root@ds var]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@example.com<mailto:ad...@example.com>

Valid starting ExpiresService principal
05/14/12 13:50:32  05/15/12 13:50:30  
krbtgt/example@example.com<mailto:example@example.com>
05/14/12 13:53:58  05/15/12 13:50:30  
HTTP/ipaserver.example@example.com<mailto:ipaserver.example@example.com>
05/14/12 13:54:13  05/15/12 13:50:30  
ldap/ipaserver.example@example.com<mailto:ipaserver.example@example.com>
[root@ds var]#

Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin

at http://fpaste.org/9hXX/

I am not sure what I am missing though. Appreciate any help.

Thanks
Chandan




Are you running FF on windows?
Which version of IPA are you using?




___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/>




___
Freeipa-users mailing list
Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Dmitri Pal

On 05/14/2012 05:25 PM, Chandan Kumar wrote:
>
> System: Centos 6.2
> IPA version : ipa-server-2.1.3-9.el6.x86_64
>
>
> Thanks
> Chandan
>
>

I am not sure but seems like something is not properly configured with
the browser.
I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow
on a working configuration.
But I will defer to experts.

>
>
>
> On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  > wrote:
>
> On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>> I am a newbie in IPA and was experimenting it on my couple of VMs
>> before considering it for production level.
>>
>> Installation went fine, however, I am getting the kerberos key
>> expiration error at firefox. I am running firefox on the same
>> machine where I have installed/configured ipa-server. On googling
>> and some help in IRC I checked documentation to trouble shoot it
>> as this appear to be a known problem.
>>
>> Moreover, I did follow
>>
>> http://freeipa.org/page/InstallAndDeploy
>> http://freeipa.org/page/TroubleshootingGuide
>>
>> Fire fox logs
>>
>> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
>> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
>> 
>> -1977841888[7fc789f5b040]:   using negotiate-gss
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
>> -1977841888[7fc789f5b040]:
>> nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate]
>> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
>> -1977841888[7fc789f5b040]: gss_init_sec_context() failed:
>> Unspecified GSS failure.  Minor code may provide more information
>> SPNEGO cannot find mechanisms to negotiate
>> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
>> [rv=80004005]
>>
>> [root@ds var]# klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: ad...@example.com 
>>
>> Valid starting ExpiresService principal
>> 05/14/12 13:50:32  05/15/12 13:50:30 
>> krbtgt/example@example.com 
>> 05/14/12 13:53:58  05/15/12 13:50:30 
>> HTTP/ipaserver.example@example.com
>> 
>> 05/14/12 13:54:13  05/15/12 13:50:30 
>> ldap/ipaserver.example@example.com
>> 
>> [root@ds var]#
>>
>> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>>
>> at http://fpaste.org/9hXX/
>>
>> I am not sure what I am missing though. Appreciate any help.
>>
>> Thanks
>> Chandan
>>
>>
>>
>
> Are you running FF on windows?
> Which version of IPA are you using?
>
>
>>
>> ___
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com 
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> -- 
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/ 
>
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com 
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Chandan Kumar

System: Centos 6.2
IPA version : ipa-server-2.1.3-9.el6.x86_64


Thanks
Chandan





On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal  wrote:

> **
> On 05/14/2012 05:09 PM, Chandan Kumar wrote:
>
> I am a newbie in IPA and was experimenting it on my couple of VMs before
> considering it for production level.
>
> Installation went fine, however, I am getting the kerberos key expiration
> error at firefox. I am running firefox on the same machine where I have
> installed/configured ipa-server. On googling and some help in IRC I checked
> documentation to trouble shoot it as this appear to be a known problem.
>
> Moreover, I did follow
>
> http://freeipa.org/page/InstallAndDeploy
> http://freeipa.org/page/TroubleshootingGuide
>
> Fire fox logs
>
> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
> -1977841888[7fc789f5b040]:   using negotiate-gss
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified GSS
> failure.  Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate
> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
>
> [root@ds var]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@example.com
>
> Valid starting ExpiresService principal
> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
> 05/14/12 13:53:58  05/15/12 13:50:30  HTTP/
> ipaserver.example@example.com
> 05/14/12 13:54:13  05/15/12 13:50:30  ldap/
> ipaserver.example@example.com
> [root@ds var]#
>
> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>
> at http://fpaste.org/9hXX/
>
> I am not sure what I am missing though. Appreciate any help.
>
> Thanks
> Chandan
>
>
>
>
> Are you running FF on windows?
> Which version of IPA are you using?
>
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

2012-05-14 Thread Dmitri Pal

On 05/14/2012 05:09 PM, Chandan Kumar wrote:
> I am a newbie in IPA and was experimenting it on my couple of VMs
> before considering it for production level.
>
> Installation went fine, however, I am getting the kerberos key
> expiration error at firefox. I am running firefox on the same machine
> where I have installed/configured ipa-server. On googling and some
> help in IRC I checked documentation to trouble shoot it as this appear
> to be a known problem.
>
> Moreover, I did follow
>
> http://freeipa.org/page/InstallAndDeploy
> http://freeipa.org/page/TroubleshootingGuide
>
> Fire fox logs
>
> 1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
> -1977841888[7fc789f5b040]:   using REQ_DELEGATE
> -1977841888[7fc789f5b040]:   service = ipaserver.example.com
> 
> -1977841888[7fc789f5b040]:   using negotiate-gss
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI()
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init()
> -1977841888[7fc789f5b040]: nsHttpNegotiateAuth::GenerateCredentials()
> [challenge=Negotiate]
> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken()
> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: Unspecified
> GSS failure.  Minor code may provide more information
> SPNEGO cannot find mechanisms to negotiate
> -1977841888[7fc789f5b040]:   leaving nsAuthGSSAPI::GetNextToken
> [rv=80004005]
>
> [root@ds var]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ad...@example.com 
>
> Valid starting ExpiresService principal
> 05/14/12 13:50:32  05/15/12 13:50:30  krbtgt/example@example.com
> 
> 05/14/12 13:53:58  05/15/12 13:50:30 
> HTTP/ipaserver.example@example.com
> 
> 05/14/12 13:54:13  05/15/12 13:50:30 
> ldap/ipaserver.example@example.com
> 
> [root@ds var]#
>
> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin
>
> at http://fpaste.org/9hXX/
>
> I am not sure what I am missing though. Appreciate any help.
>
> Thanks
> Chandan
>
>
>

Are you running FF on windows?
Which version of IPA are you using?


>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

[Freeipa-users] Help regarding Basic FreeIPA setup

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

Re: [Freeipa-users] Help regarding Basic FreeIPA setup

8 matches

Site Navigation

Mail list logo

Footer information