Re: [Freeipa-users] login with kerberos on a webserver, just like with the ipa interface.
Sorry I couldn't reply earlier, somehow I don't receive my own messages. I had set chrome to --auth-server-whitelist=ipa-server.domain.com, and not --auth-server-whitelist=*domain.com On Thu, Dec 20, 2012 at 5:33 PM, Simo Sorce wrote: > On Thu, 2012-12-20 at 16:38 +0100, Han Boetes wrote: > > Hi, > > > > > > I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable > > login in to a webserver with kerberos tickets. I followed everything > > to the letter and all looks well. > > > > > > I can log in with a username and password, but when I set the > > httpd.conf entry to > > > > > > KrbMethodK5Passwd off > > > > > > > > I can't log in. What works great with the ipa admin interface does not > > work with this recipe. > > > > I even compared it to /etc/httpd/conf.d/ipa.conf and added the > > KrbAuthRealms setting but to no avail. > > > > > > > > Adding KrbConstrainedDelegation on does not work alas. Although I am > > using centos 6.3 > > > > > > I checked the http logfiles and the /var/log/krb5kdc.log, everything > > else on that host works fine. I can log in without a password and sudo > > -s works like it should. > > > > > > Please help me debugging this issue. What am I missing? > > Are you using the same fully qualified name you have a keytab for ? > Do you see a ticket for the target server in the user ccache on the > client ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > > -- # Han ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] login with kerberos on a webserver, just like with the ipa interface.
On Thu, 2012-12-20 at 16:38 +0100, Han Boetes wrote: > Hi, > > > I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable > login in to a webserver with kerberos tickets. I followed everything > to the letter and all looks well. > > > I can log in with a username and password, but when I set the > httpd.conf entry to > > > KrbMethodK5Passwd off > > > > I can't log in. What works great with the ipa admin interface does not > work with this recipe. > > I even compared it to /etc/httpd/conf.d/ipa.conf and added the > KrbAuthRealms setting but to no avail. > > > > Adding KrbConstrainedDelegation on does not work alas. Although I am > using centos 6.3 > > > I checked the http logfiles and the /var/log/krb5kdc.log, everything > else on that host works fine. I can log in without a password and sudo > -s works like it should. > > > Please help me debugging this issue. What am I missing? Are you using the same fully qualified name you have a keytab for ? Do you see a ticket for the target server in the user ccache on the client ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] login with kerberos on a webserver, just like with the ipa interface.
Hi, I followed http://freeipa.org/page/Apache_SNI_With_Kerberos to enable login in to a webserver with kerberos tickets. I followed everything to the letter and all looks well. I can log in with a username and password, but when I set the httpd.conf entry to KrbMethodK5Passwd off I can't log in. What works great with the ipa admin interface does not work with this recipe. I even compared it to /etc/httpd/conf.d/ipa.conf and added the KrbAuthRealms setting but to no avail. Adding KrbConstrainedDelegation on does not work alas. Although I am using centos 6.3 I checked the http logfiles and the /var/log/krb5kdc.log, everything else on that host works fine. I can log in without a password and sudo -s works like it should. Please help me debugging this issue. What am I missing? # Han ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users