On 05/14/2012 05:25 PM, Chandan Kumar wrote: > > System: Centos 6.2 > IPA version : ipa-server-2.1.3-9.el6.x86_64 > > > Thanks > Chandan > >
I am not sure but seems like something is not properly configured with the browser. I do not remember seeing SPNEGO in the GSSAPI negotiation in this flow on a working configuration. But I will defer to experts. > > > > On Mon, May 14, 2012 at 2:21 PM, Dmitri Pal <[email protected] > <mailto:[email protected]>> wrote: > > On 05/14/2012 05:09 PM, Chandan Kumar wrote: >> I am a newbie in IPA and was experimenting it on my couple of VMs >> before considering it for production level. >> >> Installation went fine, however, I am getting the kerberos key >> expiration error at firefox. I am running firefox on the same >> machine where I have installed/configured ipa-server. On googling >> and some help in IRC I checked documentation to trouble shoot it >> as this appear to be a known problem. >> >> Moreover, I did follow >> >> http://freeipa.org/page/InstallAndDeploy >> http://freeipa.org/page/TroubleshootingGuide >> >> Fire fox logs >> >> 1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> -1977841888[7fc789f5b040]: using REQ_DELEGATE >> -1977841888[7fc789f5b040]: service = ipaserver.example.com >> <http://ipaserver.example.com> >> -1977841888[7fc789f5b040]: using negotiate-gss >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::nsAuthGSSAPI() >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::Init() >> -1977841888[7fc789f5b040]: >> nsHttpNegotiateAuth::GenerateCredentials() [challenge=Negotiate] >> -1977841888[7fc789f5b040]: entering nsAuthGSSAPI::GetNextToken() >> -1977841888[7fc789f5b040]: gss_init_sec_context() failed: >> Unspecified GSS failure. Minor code may provide more information >> SPNEGO cannot find mechanisms to negotiate >> -1977841888[7fc789f5b040]: leaving nsAuthGSSAPI::GetNextToken >> [rv=80004005] >> >> [root@ds var]# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: [email protected] <mailto:[email protected]> >> >> Valid starting Expires Service principal >> 05/14/12 13:50:32 05/15/12 13:50:30 >> krbtgt/[email protected] <mailto:[email protected]> >> 05/14/12 13:53:58 05/15/12 13:50:30 >> HTTP/[email protected] >> <mailto:[email protected]> >> 05/14/12 13:54:13 05/15/12 13:50:30 >> ldap/[email protected] >> <mailto:[email protected]> >> [root@ds var]# >> >> Output of ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=admin >> >> at http://fpaste.org/9hXX/ >> >> I am not sure what I am missing though. Appreciate any help. >> >> Thanks >> Chandan >> >> >> > > Are you running FF on windows? > Which version of IPA are you using? > > >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] <mailto:[email protected]> >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] <mailto:[email protected]> > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
