Shan Kumaraswamy wrote: > Hi Pal, > Thank you very much for the clarificaiton, the secound question is I > want to access the url from my laptop using firefox, and also I > configured the browser as per the IPA installation browers > configuration and its download the ipa certificate, after when I try > the same url again its througing the kerberos auth failure. Please let > me know what is the issure. >
Have you authenticated from your laptop and do you have a ticket? Is it a Windows client? If yes you need to do kinit from the Windows laptop first to obtain a ticket. To do this you need kerberos client installed and configured. If the laptop is a part of the IPA domain then this is one scenario if not then a different. http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_(Windows/Linux)_-_Step_by_step http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/chap-Client_Configuration_Guide-Using_MicrosoftWindows_to_Manage_IPA.html#sect-Client_Configuration_Guide-Using_MicrosoftWindows_to_Manage_IPA-Configuring_Windows_XP_Pro_and_Windows_2000_Pro > > > > On Wed, Jul 14, 2010 at 4:19 PM, Dmitri Pal <[email protected] > <mailto:[email protected]>> wrote: > > Shan Kumaraswamy wrote: > > Dear All, > > > > > > > > Can anyone let me know how to disable IPA admin “auto-login” from > > FreeIPA server, basically I need to use this URL > > https://ipaserver.example.com/ipa/ui and should ask user name and > > password every time while opening the login page, > > > This is not a bug. It is a feature :-) > A bit of explanation about how things work. > When admin does authentication he gets a kerberos ticket. > This ticket is used to get access to the UI (automatically). It is a > feature of kerberos. > You would not be able to login if you do not have a ticket. > If you have a ticket, this means you already proved your identity > to the > server and there is no need to challenge you again. > What you are asking for is a form based authentication. It is not > implemented in IPA and not planned to be implemented in v2 because the > scheme above has same security attributes but is much more convenient. > So there is no way to disable the auto-login feature. > > > > > and also the administrator will login via “Firefox” any machine in > > the intranet (LAN) using the IPA admin login credentials. > > > > Can you explain this part please? Login into any machine? Sure if you > configured SSH to use kerberos you will be able to SSH into any > machine > unless you configures some access control rules that would prevent you > from doing so. > > > > > > -- > > Thanks & Regards > > Shan Kumaraswamy > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] <mailto:[email protected]> > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > > -- > Thanks & Regards > Shan Kumaraswamy > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
