Hi, I tried to trace some stuff but this doesn't give me much more info.
What I see at the moment in the /var/log/httpd/acces_log is exactly what happens but without the info I need to get a better view: 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" 301 258 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" 301 259 "https://ldap.domain.local/ipa/json"; "-" 10.10.0.121 - - [30/Mar/2015:22:22:58 +0200] "POST /ipa/json HTTP/1.1" 401 1469 10.10.0.121 - - [30/Mar/2015:22:22:59 +0200] "POST /ipa/json HTTP/1.1" 401 1469 2015-03-30 15:03 GMT+02:00 Sumit Bose <[email protected]>: > On Mon, Mar 30, 2015 at 04:56:11AM +0200, Matt . wrote: >> Hi, >> >> I just tot home and typing from my cell so i'm suite short in words >> >> Create keytab for ldap-01.domain >> Kinit with that to ldap.domain >> Curl against ldap.domain >> Get a 301 which I manage from curl (goes well) >> Get kerberos ticket error >> >> now I don't kinit anymore so re-use my existing ticket and curl against >> ldap-01.domain and I'm accepted and can execute stuff. >> >> My ssl is OK, ticket also it seems. > > Maybe the output of > > KRB5_TRACE=/dev/sdtout curl -v .... > > might help to see what is going on? > > bye, > Sumit > >> >> Thanks M. >> Op 30 mrt. 2015 03:50 schreef "Dmitri Pal" <[email protected]>: >> >> > On 03/29/2015 04:47 AM, Matt . wrote: >> > >> >> Hi Guys, >> >> >> >> Now my Certification issues are solved for using a loadbalancer in >> >> front of my ipa servers I get the following: >> >> >> >> Unable to verify your Kerberos credentials >> >> >> >> and in my logs: >> >> >> >> Additional pre-authentication required. >> >> >> >> This happens when I connect throught my loadbalancers, I see my server >> >> coming ni with the right IP. >> >> >> >> When I access my ipa server directly, not using the loadbalancer IP >> >> between it, my kerberos Ticket is valid. >> >> >> >> I get the feeling that when I use my loadbalancers and because of that >> >> I get a 301 redirect it needs a preauth. I see some issues on >> >> mailinglists but it doesn't fit my situation. >> >> >> >> Why wants it the preauth when I already have a valid ticket and my >> >> redirect is followed by CURL and posted the right way ? >> >> >> > >> > Can you describe the sequence? >> > What do you do? >> > >> > From the client you try IPA CLI and this is where you see the problem even >> > with the valid ticket or is the flow different? >> > >> > I hope someone has an idea. >> >> >> >> Thanks, >> >> >> >> Matt >> >> >> >> >> > >> > -- >> > Thank you, >> > Dmitri Pal >> > >> > Sr. Engineering Manager IdM portfolio >> > Red Hat, Inc. >> > >> > -- >> > Manage your subscription for the Freeipa-users mailing list: >> > https://www.redhat.com/mailman/listinfo/freeipa-users >> > Go to http://freeipa.org for more info on the project >> > > >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
