Re: [Freeipa-users] unable to add service principle from F17
Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/06/12 22:37, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/06/12 19:53, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I have a RHEL 6.2 ipa domain and I am running through one of my known working kickstarts for kerberised squid but instead of using RHEL i'm setting it up on Fedora 17. I get the following error on the fedora system which has freeipa-admintools installed [root@proxy02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting Expires Service principal 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com [root@proxy02 ~]# ipa service-add HTTP/$(hostname) ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# Nothing appears in the logs apart from ==> /var/log/messages<== Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1428 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1013 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1230 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Any ideas? This doesn't block me from what I am trying to achieve as I can add the service principle from the IPA server. Just thought I might ask the question. What version of client and server? rob Server details [root@ds01 ~]# yum info ipa-server Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Installed Packages Name : ipa-server Arch : x86_64 Version : 2.1.3 Release : 9.el6 Size : 3.2 M Repo : installed - From repo : Red Hat Enterprise Linux Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Client details [root@proxy02 ~]# yum info freeipa-client Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name : freeipa-client Arch : x86_64 Version : 2.2.0 Release : 1.fc17 Size : 239 k Repo : installed - From repo : fedora Summary : IPA authentication for use on clients URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If your network uses IPA for authentication, : this package should be installed on every client machine. [root@proxy02 ~]# yum info freeipa-admintools Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name : freeipa-admintools Arch : x86_64 Version : 2.2.0 Release : 1.fc17 Size : 43 k Repo : installed - From repo : fedora Summary : IPA administrative tools URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). This package provides command-line tools for : IPA administrators. [root@proxy02 ~]# Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy so sending the TGT is no longer required as it was pre 2.2. # ipa --delegate service-add HTTP/$(hostname) rob ah.. good to know. thanks for the info. it does get past the tgt aspect, now its just a version conflict. may or may not be a work around for that. [root@proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com ipa: ERROR: 2.34 client incompatible with 2.13 server at u'https://ds01.example.com/ipa/xml' Oh, right, sorry I didn't mention this yesterday. You can generally talk with an older client with a newer server, but not the other way around. We don't have per-command versioning (yet), which would make this possible. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to add service principle from F17
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/06/12 22:37, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> >> On 25/06/12 19:53, Rob Crittenden wrote: >>> Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I have a RHEL 6.2 ipa domain and I am running through one of my known working kickstarts for kerberised squid but instead of using RHEL i'm setting it up on Fedora 17. I get the following error on the fedora system which has freeipa-admintools installed [root@proxy02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting Expires Service principal 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com [root@proxy02 ~]# ipa service-add HTTP/$(hostname) ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# Nothing appears in the logs apart from ==> /var/log/messages<== Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1428 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1013 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1230 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Any ideas? This doesn't block me from what I am trying to achieve as I can add the service principle from the IPA server. Just thought I might ask the question. >>> >>> What version of client and server? >>> >>> rob >> >> Server details >> >> [root@ds01 ~]# yum info ipa-server >> Loaded plugins: product-id, security, subscription-manager >> Updating certificate-based repositories. >> Installed Packages >> Name : ipa-server >> Arch : x86_64 >> Version : 2.1.3 >> Release : 9.el6 >> Size : 3.2 M >> Repo : installed >> - From repo : Red Hat Enterprise Linux >> Summary : The IPA authentication server >> URL : http://www.freeipa.org/ >> License : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If you are installing an IPA >> server you need >> : to install this package (in other words, most people >> should NOT install >> : this package). >> >> >> Client details >> >> [root@proxy02 ~]# yum info freeipa-client >> Loaded plugins: langpacks, presto, refresh-packagekit >> Installed Packages >> Name : freeipa-client >> Arch : x86_64 >> Version : 2.2.0 >> Release : 1.fc17 >> Size : 239 k >> Repo : installed >> - From repo : fedora >> Summary : IPA authentication for use on clients >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If your network uses IPA for >> authentication, >> : this package should be installed on every client machine. >> >> [root@proxy02 ~]# yum info freeipa-admintools >> Loaded plugins: langpacks, presto, refresh-packagekit >> Installed Packages >> Name : freeipa-admintools >> Arch : x86_64 >> Version : 2.2.0 >> Release : 1.fc17 >> Size : 43 k >> Repo : installed >> - From repo : fedora >> Summary : IPA administrative tools >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). This package provides >> command-line tools for >> : IPA administrators. >> >> [root@proxy02 ~]# > > Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy so sending the TGT is no longer required as it was pre 2.2. > > # ipa --delegate service-add HTTP/$(hostname) > > rob > ah.. good to know. thanks for the info. it does get past the tgt aspect, now its just a version conflict. may or may not be a work around for that. [root@proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com ipa: ERROR: 2.34 client incompatible with 2.13 server at u'https://ds01.example.com/ipa/xml' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6Y4vAAoJEAJsWS61tB+qwf8P/A2
Re: [Freeipa-users] unable to add service principle from F17
Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/06/12 19:53, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I have a RHEL 6.2 ipa domain and I am running through one of my known working kickstarts for kerberised squid but instead of using RHEL i'm setting it up on Fedora 17. I get the following error on the fedora system which has freeipa-admintools installed [root@proxy02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting Expires Service principal 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com [root@proxy02 ~]# ipa service-add HTTP/$(hostname) ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# Nothing appears in the logs apart from ==> /var/log/messages<== Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1428 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1013 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1230 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Any ideas? This doesn't block me from what I am trying to achieve as I can add the service principle from the IPA server. Just thought I might ask the question. What version of client and server? rob Server details [root@ds01 ~]# yum info ipa-server Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Installed Packages Name: ipa-server Arch: x86_64 Version : 2.1.3 Release : 9.el6 Size: 3.2 M Repo: installed - From repo : Red Hat Enterprise Linux Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Client details [root@proxy02 ~]# yum info freeipa-client Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name: freeipa-client Arch: x86_64 Version : 2.2.0 Release : 1.fc17 Size: 239 k Repo: installed - From repo : fedora Summary : IPA authentication for use on clients URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If your network uses IPA for authentication, : this package should be installed on every client machine. [root@proxy02 ~]# yum info freeipa-admintools Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name: freeipa-admintools Arch: x86_64 Version : 2.2.0 Release : 1.fc17 Size: 43 k Repo: installed - From repo : fedora Summary : IPA administrative tools URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). This package provides command-line tools for : IPA administrators. [root@proxy02 ~]# Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy so sending the TGT is no longer required as it was pre 2.2. # ipa --delegate service-add HTTP/$(hostname) rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to add service principle from F17
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/06/12 19:53, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Hi all >> >> I have a RHEL 6.2 ipa domain and I am running through one of my known >> working kickstarts for kerberised squid but instead of using RHEL i'm >> setting it up on Fedora 17. >> >> I get the following error on the fedora system which has >> freeipa-admintools installed >> >> [root@proxy02 ~]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: ad...@example.com >> >> Valid starting Expires Service principal >> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com >> [root@proxy02 ~]# ipa service-add HTTP/$(hostname) >> ipa: ERROR: did not receive Kerberos credentials >> [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com >> ipa: ERROR: did not receive Kerberos credentials >> [root@proxy02 ~]# >> >> >> >> Nothing appears in the logs apart from >> >> ==> /var/log/messages<== >> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> Jun 25 20:35:34 proxy02 pcscd[25567]: 1428 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> Jun 25 20:35:34 proxy02 pcscd[25567]: 1013 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> Jun 25 20:35:34 proxy02 pcscd[25567]: 1230 >> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >> >> >> Any ideas? >> >> This doesn't block me from what I am trying to achieve as I can add the >> service principle from the IPA server. Just thought I might ask the >> question. > > What version of client and server? > > rob Server details [root@ds01 ~]# yum info ipa-server Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Installed Packages Name: ipa-server Arch: x86_64 Version : 2.1.3 Release : 9.el6 Size: 3.2 M Repo: installed - From repo : Red Hat Enterprise Linux Summary : The IPA authentication server URL : http://www.freeipa.org/ License : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If you are installing an IPA server you need : to install this package (in other words, most people should NOT install : this package). Client details [root@proxy02 ~]# yum info freeipa-client Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name: freeipa-client Arch: x86_64 Version : 2.2.0 Release : 1.fc17 Size: 239 k Repo: installed - From repo : fedora Summary : IPA authentication for use on clients URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). If your network uses IPA for authentication, : this package should be installed on every client machine. [root@proxy02 ~]# yum info freeipa-admintools Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages Name: freeipa-admintools Arch: x86_64 Version : 2.2.0 Release : 1.fc17 Size: 43 k Repo: installed - From repo : fedora Summary : IPA administrative tools URL : http://www.freeipa.org/ Licence : GPLv3+ Description : IPA is an integrated solution to provide centrally managed Identity (machine, : user, virtual machines, groups, authentication credentials), Policy : (configuration settings, access control information) and Audit (events, : logs, analysis thereof). This package provides command-line tools for : IPA administrators. [root@proxy02 ~]# -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6NfaAAoJEAJsWS61tB+qe4gP/jTFZn1FKat8psw+Zkhnv6Rw mqw13SvcpndaXYqS0e0pikV7EVophHgxZ2Y+APg3sk3xIOLMDxtv6AdU1RyMyFHT tg15vxZ83mSSwMYiFjw6UWJp2Q6em4CC+e/8uZBziAtl5sz4XX8+HAQkYUZfaOcu uYoP8S7dIAvRxUp7h53Cfxy4XcRdVNSELymY2wcFGXb/xQJ3IDZ03Y26nlFLrSXL xg88TgwZlBtnJINlcsAA0c7QjilVB9ei619W+YRf+81Hs9ld4s72Zll5Sv7r9yHh 3CVQFvwNJl5tHGWr+5Ja7dZwgeJlWBLyeN6bYovycQL0+USV+sEl6HL3Cd1Z8SEM e+t2siH6eSNjY93pY3YO/emagPOufcAdJQ5jlzTJIHBuHfb2k7VY5qP4t0hQuUrJ Gjx7GGLgtoQOmK0fMwuFQP7cyajVo03BGHPiGpJRNrz6Rcs4CVd4CmPMtsHkyRtb GshYFTgHusOP++vuBmRmz6ILM+nhCSKGvvFvmoIvNJIlKBGuWSdZgx7x6lQKfEjJ NrVN/cKUi/Vf+IchHVeI1lxKHJx1b/ZLG7Fdc6q6Dbpo9ePTLurkKCb1kSvMrgEX C90GW4ueBobn1HGOtPyVLZMDqeqhRv/y8vW3neVzrlSL
Re: [Freeipa-users] unable to add service principle from F17
Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all I have a RHEL 6.2 ipa domain and I am running through one of my known working kickstarts for kerberised squid but instead of using RHEL i'm setting it up on Fedora 17. I get the following error on the fedora system which has freeipa-admintools installed [root@proxy02 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@example.com Valid starting ExpiresService principal 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example@example.com [root@proxy02 ~]# ipa service-add HTTP/$(hostname) ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com ipa: ERROR: did not receive Kerberos credentials [root@proxy02 ~]# Nothing appears in the logs apart from ==> /var/log/messages<== Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1428 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1013 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Jun 25 20:35:34 proxy02 pcscd[25567]: 1230 winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found Any ideas? This doesn't block me from what I am trying to achieve as I can add the service principle from the IPA server. Just thought I might ask the question. What version of client and server? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
