Prasun Gera via FreeIPA-users wrote: > That config gets overwritten on upgrades though. Can freeipa expose this > as a knob rather than users modifying config files directly ?
This is the proposal in the linked ticket. And it is not guaranteed to be rewritten on every upgrade, just any upgrade that touches the configuration template (so even more confusing). rob > > On Wed, Sep 22, 2021 at 10:03 PM Alexander Bokovoy via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > On ke, 22 syys 2021, Cutright, Jacob via FreeIPA-users wrote: > >Hello, > > > >I can also confirm this is a normal occurrence on Windows while using > >Chrome and Edge. Firefox, however, does not do this. It is a bit > confusing > >for new users of IPA as they will generally treat it as a login prompt, > >although it doesn't do anything for them. I have been curious about > this > >prompt, but haven't had a chance to look into it yet. > > This is a bug in Windows browsers based on Chrome engine. It is known > for years and Chrome developers refused to fix it. > > One thing you can do is to follow a recipe in > https://bugzilla.redhat.com/show_bug.cgi?id=1309041 > > ... > <Location "/ipa"> > AuthType GSSAPI > AuthName "Kerberos Login" > BrowserMatch Windows gssapi-no-negotiate > ... > > > Perhaps, we need to finally add this line to the default IPA > configuration as per https://pagure.io/freeipa/issue/5614 > > > > > > >On Wed, Sep 22, 2021, 3:51 PM Sam Morris via FreeIPA-users < > >[email protected] > <mailto:[email protected]>> wrote: > > > >> > Florence Renaud via FreeIPA-users wrote: > >> > IIRC some browsers, notably on Windows, when the initial GSSAPI > >> > handshake fails because there is no ticket, may either throw an > error > >> > because they are trying NTLM auth or don't understand the basic > fallback. > >> > > >> > What browser(s) are you seeing the issue on? > >> > >> I see this on Windows 10 Home with Chrome 93.0.4577.82 (and older > >> versions). > >> > >> I get two login prompts - the first is caused by a POST to > >> /ipa/session/json resulting in a 401. > >> > >> The second is caused by a GET for /ipa/session/login_kerberos?_=<some > >> timestamp>. > >> > >> Both responses have the WWW-Authenticate: Negotiate header. > >> > >> I happen to have MIT Kerberos for Windows installed--that may or > may not > >> be relevant. I've not (as far as I remember) configured Chrome to > try to > >> use SPNEGO to talk to my IPA servers so this may not be relevant. > >> > >> -- > >> Sam Morris <https://robots.org.uk/> > >> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 > >> _______________________________________________ > >> FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > >> To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > >> Fedora Code of Conduct: > >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > >> > > https://lists.fedorahosted.org/archives/list/[email protected] > >> Do not reply to spam on the list, report it: > >> https://pagure.io/fedora-infrastructure > >> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
