Hi, I just tot home and typing from my cell so i'm suite short in words
Create keytab for ldap-01.domain Kinit with that to ldap.domain Curl against ldap.domain Get a 301 which I manage from curl (goes well) Get kerberos ticket error now I don't kinit anymore so re-use my existing ticket and curl against ldap-01.domain and I'm accepted and can execute stuff. My ssl is OK, ticket also it seems. Thanks M. Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <[email protected]>: > On 03/29/2015 04:47 AM, Matt . wrote: > >> Hi Guys, >> >> Now my Certification issues are solved for using a loadbalancer in >> front of my ipa servers I get the following: >> >> Unable to verify your Kerberos credentials >> >> and in my logs: >> >> Additional pre-authentication required. >> >> This happens when I connect throught my loadbalancers, I see my server >> coming ni with the right IP. >> >> When I access my ipa server directly, not using the loadbalancer IP >> between it, my kerberos Ticket is valid. >> >> I get the feeling that when I use my loadbalancers and because of that >> I get a 301 redirect it needs a preauth. I see some issues on >> mailinglists but it doesn't fit my situation. >> >> Why wants it the preauth when I already have a valid ticket and my >> redirect is followed by CURL and posted the right way ? >> > > Can you describe the sequence? > What do you do? > > From the client you try IPA CLI and this is where you see the problem even > with the valid ticket or is the flow different? > > I hope someone has an idea. >> >> Thanks, >> >> Matt >> >> > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
