Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/23/2012 11:58 AM, Rob Crittenden wrote: > Nathan Lager wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> >> On 04/20/2012 02:26 PM, Rob Crittenden wrote: >>> Have you configured the browser for Kerberos? >>> http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html >>> >>> >>> >>> >>> >>> That error seems to indicate that the domain isn't defined in >>> network.negotiate-auth.trusted-uris >>> >>> regards >>> >>> rob >> >> I've been through the clicky-clicky that ipa's web gui sends you >> through (accepting the certs, and configuring the browser), a >> number of times. I just confirmed the trusted uri's and >> delegation uris. They are both correct, they look like: >> .my.ipa.domain.com >> >> I even tried resetting delegation-uris, and trusted-uri's to the >> default, and then allowing the ipa web gui to re-configure them, >> it hasnt helped. >> >> Thanks for the response. Sorry for the delay in mine. > > Hmm, that is very strange. The code in question in Firefox looks > like: > > bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if > (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI > blocked\n")); return NS_ERROR_ABORT; } > > which seems to be the error you are seeing. It's a shame there > isn't more logging around the uris. > > I see that you had enabled debug logging on the Apache side. Can > you provide some more context on the failed request? > > thanks > > rob Again, sorry for the delay. This is just one in my long list of current projects. Here's the requested log data. Its a tail -f of the access and error logs. Server nanme, and client ip stripped. ==> error_log <== [Fri Apr 27 11:47:04 2012] [info] Connection to child 0 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:04 -0400] "POST /ca/ocsp HTTP/1.1" 200 2326 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1" ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 0 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [error] [client xxx.xxx.xxx.xxx] File does not exist: /usr/share/ipa/ui/develop.js, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "GET /ipa/ui/develop.js HTTP/1.1" 404 306 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 0 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 established (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) [Fri Apr 27 11:47:05 2012] [info] Initial (No.1) HTTPS request received for child 6 (server ipaserver.domain.com:443) [Fri Apr 27 11:47:05 2012] [debug] src/mod_auth_kerb.c(1578): [client xxx.xxx.xxx.xxx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://ipaserver.domain.com/ipa/ui/ ==> access_log <== xxx.xxx.xxx.xxx - - [27/Apr/2012:11:47:05 -0400] "POST /ipa/json HTTP/1.1" 401 1771 ==> error_log <== [Fri Apr 27 11:47:05 2012] [info] Connection to child 6 closed (server ipaserver.domain.com:443, client xxx.xxx.xxx.xxx) - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+awMsACgkQsZqG4IN3sulfnACfWNbbddw5ALIW4J9X+nLrovU+ Lg8AmQExUXpbs8LDPiwN4SMKefjF0KaB =o2KT -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/20/2012 02:26 PM, Rob Crittenden wrote: Have you configured the browser for Kerberos? http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html That error seems to indicate that the domain isn't defined in network.negotiate-auth.trusted-uris regards rob I've been through the clicky-clicky that ipa's web gui sends you through (accepting the certs, and configuring the browser), a number of times. I just confirmed the trusted uri's and delegation uris. They are both correct, they look like: .my.ipa.domain.com I even tried resetting delegation-uris, and trusted-uri's to the default, and then allowing the ipa web gui to re-configure them, it hasnt helped. Thanks for the response. Sorry for the delay in mine. Hmm, that is very strange. The code in question in Firefox looks like: bool allowed = TestPref(uri, kNegotiateAuthTrustedURIs); if (!allowed) { LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n")); return NS_ERROR_ABORT; } which seems to be the error you are seeing. It's a shame there isn't more logging around the uris. I see that you had enabled debug logging on the Apache side. Can you provide some more context on the failed request? thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/20/2012 02:26 PM, Rob Crittenden wrote: > Have you configured the browser for Kerberos? > http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html > > > > That error seems to indicate that the domain isn't defined in > network.negotiate-auth.trusted-uris > > regards > > rob I've been through the clicky-clicky that ipa's web gui sends you through (accepting the certs, and configuring the browser), a number of times. I just confirmed the trusted uri's and delegation uris. They are both correct, they look like: .my.ipa.domain.com I even tried resetting delegation-uris, and trusted-uri's to the default, and then allowing the ipa web gui to re-configure them, it hasnt helped. Thanks for the response. Sorry for the delay in mine. - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+VZ2sACgkQsZqG4IN3sukTkwCgqnLc6JL/ZPjC5jlt05QAWDPb eacAn3iW/mn7jqdl5/9qbcLIJr0eKAVv =wXtv -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, no proxy in place. Because this gui will be used primarily by people like Me (high privileged admin users), and flat-out blocked to everyone else, a proxy seemed like overkill. Have you configured the browser for Kerberos? http://docs.fedoraproject.org/en-US//Fedora/15/html/FreeIPA_Guide/using-the-ui.html That error seems to indicate that the domain isn't defined in network.negotiate-auth.trusted-uris regards rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 No, no proxy in place. Because this gui will be used primarily by people like Me (high privileged admin users), and flat-out blocked to everyone else, a proxy seemed like overkill. On 04/20/2012 11:41 AM, Rob Crittenden wrote: > > Are you going through a proxy? They often times mess up Negotiate > headers. I've never seen a URI blocked error in the browser. > > The (NULL) user is expected. The first request comes in with no > authentication from the browser and this is the server asking "who > are you?" The next request should include the authentication > header. > > rob - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+Ro2EACgkQsZqG4IN3sukdCgCeK+GiGB0GfxnerEtznomC4o2t imgAnRBRYgDDOqeLiZgE9JiivntOcWd7 =b1qD -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA, kerberos ticket issue for web admin.
Nathan Lager wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've got an ipa server setup on RHEL6. I have a Fedora 16 client, which i joined to the IPA domain using the ipa-client-install utility. When i attempt to authenticate to my ipa server's web admin portal, i get a generic error: Your kerberos ticket is no longer valid. And it goes on to tell me to configure my browser if this is my first time accessing. I've done so, and the error remains. It also tells me to re-run kinit if i havent done so aleady, which i've also done. Kinit returns no errors. I've tried authing as my user (which is in the admin group) and as the admin user. Both give me the same result. While googling for the error, i found some helpful information about enabling debug logging both on the ipa server, and my browser (firefox). Doing so, i found the following errors: On the server: [Thu Apr 19 16:56:02 2012] [debug] src/mod_auth_kerb.c(1578): [client xx.xx.xx.xx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://(my.ipa.server)/ipa/ui/ And from my browser: - -1713670336[7fd299b24590]: nsHttpNegotiateAuth::ChallengeReceived URI blocked These have shed little to no light on the situation, other than, it sounds like something is getting blocked. I was able to join this same client to a different IPA domain (a non production version of this same domain), which worked properly. I used the ipa-client-install --uninstall command to clean up ipa before re-joining this system to the production ipa domain. I also rebooted for good measure. One major difference between the two domains is that the IPA server for dev lives on a much more open network. Our development network, and the production ipa domain lives on a production auth network, which is much more locked down. I believe i have all of the proper ports open. nmap scans give me the following for tcp and udp. PORTSTATE SERVICE 22/tcp open ssh 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl 123/udp open ntp Any direction here would be most useful. Thanks! Are you going through a proxy? They often times mess up Negotiate headers. I've never seen a URI blocked error in the browser. The (NULL) user is expected. The first request comes in with no authentication from the browser and this is the server asking "who are you?" The next request should include the authentication header. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA, kerberos ticket issue for web admin.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've got an ipa server setup on RHEL6. I have a Fedora 16 client, which i joined to the IPA domain using the ipa-client-install utility. When i attempt to authenticate to my ipa server's web admin portal, i get a generic error: Your kerberos ticket is no longer valid. And it goes on to tell me to configure my browser if this is my first time accessing. I've done so, and the error remains. It also tells me to re-run kinit if i havent done so aleady, which i've also done. Kinit returns no errors. I've tried authing as my user (which is in the admin group) and as the admin user. Both give me the same result. While googling for the error, i found some helpful information about enabling debug logging both on the ipa server, and my browser (firefox). Doing so, i found the following errors: On the server: [Thu Apr 19 16:56:02 2012] [debug] src/mod_auth_kerb.c(1578): [client xx.xx.xx.xx] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://(my.ipa.server)/ipa/ui/ And from my browser: - -1713670336[7fd299b24590]: nsHttpNegotiateAuth::ChallengeReceived URI blocked These have shed little to no light on the situation, other than, it sounds like something is getting blocked. I was able to join this same client to a different IPA domain (a non production version of this same domain), which worked properly. I used the ipa-client-install --uninstall command to clean up ipa before re-joining this system to the production ipa domain. I also rebooted for good measure. One major difference between the two domains is that the IPA server for dev lives on a much more open network. Our development network, and the production ipa domain lives on a production auth network, which is much more locked down. I believe i have all of the proper ports open. nmap scans give me the following for tcp and udp. PORTSTATE SERVICE 22/tcp open ssh 80/tcp open http 88/tcp open kerberos-sec 389/tcp open ldap 443/tcp open https 464/tcp open kpasswd5 636/tcp open ldapssl 123/udp open ntp Any direction here would be most useful. Thanks! - -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager, RHCSA, RHCE (#110-011-426) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk+RZ5MACgkQsZqG4IN3sun/XgCffQ7mig01JduWGwrKRdzoRTrm mWAAn3etLizqgYnE75aMktQL08ttL5mr =Rwb+ -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users