On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: > Hi, > > I just tot home and typing from my cell so i'm suite short in words > > Create keytab for ldap-01.domain > Kinit with that to ldap.domain > Curl against ldap.domain > Get a 301 which I manage from curl (goes well) > Get kerberos ticket error > > now I don't kinit anymore so re-use my existing ticket and curl against > ldap-01.domain and I'm accepted and can execute stuff. > > My ssl is OK, ticket also it seems.
Maybe the output of KRB5_TRACE=/dev/sdtout curl -v .... might help to see what is going on? bye, Sumit > > Thanks M. > Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <[email protected]>: > > > On 03/29/2015 04:47 AM, Matt . wrote: > > > >> Hi Guys, > >> > >> Now my Certification issues are solved for using a loadbalancer in > >> front of my ipa servers I get the following: > >> > >> Unable to verify your Kerberos credentials > >> > >> and in my logs: > >> > >> Additional pre-authentication required. > >> > >> This happens when I connect throught my loadbalancers, I see my server > >> coming ni with the right IP. > >> > >> When I access my ipa server directly, not using the loadbalancer IP > >> between it, my kerberos Ticket is valid. > >> > >> I get the feeling that when I use my loadbalancers and because of that > >> I get a 301 redirect it needs a preauth. I see some issues on > >> mailinglists but it doesn't fit my situation. > >> > >> Why wants it the preauth when I already have a valid ticket and my > >> redirect is followed by CURL and posted the right way ? > >> > > > > Can you describe the sequence? > > What do you do? > > > > From the client you try IPA CLI and this is where you see the problem even > > with the valid ticket or is the flow different? > > > > I hope someone has an idea. > >> > >> Thanks, > >> > >> Matt > >> > >> > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
