-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 25/06/12 22:37, Rob Crittenden wrote: > Dale Macartney wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> On 25/06/12 19:53, Rob Crittenden wrote: >>> Dale Macartney wrote: >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Hi all >>>> >>>> I have a RHEL 6.2 ipa domain and I am running through one of my known >>>> working kickstarts for kerberised squid but instead of using RHEL i'm >>>> setting it up on Fedora 17. >>>> >>>> I get the following error on the fedora system which has >>>> freeipa-admintools installed >>>> >>>> [root@proxy02 ~]# klist >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: ad...@example.com >>>> >>>> Valid starting Expires Service principal >>>> 06/25/12 20:34:33 06/26/12 20:34:31 krbtgt/example....@example.com >>>> [root@proxy02 ~]# ipa service-add HTTP/$(hostname) >>>> ipa: ERROR: did not receive Kerberos credentials >>>> [root@proxy02 ~]# ipa service-add HTTP/proxy02.example.com >>>> ipa: ERROR: did not receive Kerberos credentials >>>> [root@proxy02 ~]# >>>> >>>> >>>> >>>> Nothing appears in the logs apart from >>>> >>>> ==> /var/log/messages<== >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 35998884 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001428 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001013 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> Jun 25 20:35:34 proxy02 pcscd[25567]: 00001230 >>>> winscard.c:241:SCardConnect() Reader E-Gate 0 0 Not Found >>>> >>>> >>>> Any ideas? >>>> >>>> This doesn't block me from what I am trying to achieve as I can add the >>>> service principle from the IPA server. Just thought I might ask the >>>> question. >>> >>> What version of client and server? >>> >>> rob >> >> Server details >> >> [root@ds01 ~]# yum info ipa-server >> Loaded plugins: product-id, security, subscription-manager >> Updating certificate-based repositories. >> Installed Packages >> Name : ipa-server >> Arch : x86_64 >> Version : 2.1.3 >> Release : 9.el6 >> Size : 3.2 M >> Repo : installed >> - From repo : Red Hat Enterprise Linux >> Summary : The IPA authentication server >> URL : http://www.freeipa.org/ >> License : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If you are installing an IPA >> server you need >> : to install this package (in other words, most people >> should NOT install >> : this package). >> >> >> Client details >> >> [root@proxy02 ~]# yum info freeipa-client >> Loaded plugins: langpacks, presto, refresh-packagekit >> Installed Packages >> Name : freeipa-client >> Arch : x86_64 >> Version : 2.2.0 >> Release : 1.fc17 >> Size : 239 k >> Repo : installed >> - From repo : fedora >> Summary : IPA authentication for use on clients >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). If your network uses IPA for >> authentication, >> : this package should be installed on every client machine. >> >> [root@proxy02 ~]# yum info freeipa-admintools >> Loaded plugins: langpacks, presto, refresh-packagekit >> Installed Packages >> Name : freeipa-admintools >> Arch : x86_64 >> Version : 2.2.0 >> Release : 1.fc17 >> Size : 43 k >> Repo : installed >> - From repo : fedora >> Summary : IPA administrative tools >> URL : http://www.freeipa.org/ >> Licence : GPLv3+ >> Description : IPA is an integrated solution to provide centrally managed >> Identity (machine, >> : user, virtual machines, groups, authentication >> credentials), Policy >> : (configuration settings, access control information) and >> Audit (events, >> : logs, analysis thereof). This package provides >> command-line tools for >> : IPA administrators. >> >> [root@proxy02 ~]# > > Use the --delegate flag in the ipa tool. The 2.2 servers use S4U2Proxy so sending the TGT is no longer required as it was pre 2.2. > > # ipa --delegate service-add HTTP/$(hostname) > > rob > ah.. good to know. thanks for the info. it does get past the tgt aspect, now its just a version conflict. may or may not be a work around for that. [root@proxy02 ~]# ipa --delegate service-add HTTP/proxy02.example.com ipa: ERROR: 2.34 client incompatible with 2.13 server at u'https://ds01.example.com/ipa/xml' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP6Y4vAAoJEAJsWS61tB+qwf8P/A2wIGjoUcrMIEdXxdsFv0AL kSyd/4X7f3wKwzfPWwsCNs2vQT+LgIV/alqbCUSPAXgfJVvMmJa8yQ7WRXQUdNoZ agTzZN5DeGet3AYA9bA3fXE/YNy4qteNg9KiNJ2QDXGJ3cP9YCvjzWyrDxgEd7bS IAWW7FFaeSpfB1w+VC+rLTmfQjgS+LdAUu2tR8kobZwsdIYedABV3px9wga/rOWo V3gf/RR2b/3eRxZulKSVh+djOiiinjSP5uc0tO5uZuxrb9hC/swKMGq4eJu/fhQz BXqeIx/IcjxutHx5p68vS7Z4bX9D3uxoVAI1nQX72FZsvG+PYuNtAvY6z3c29wfx TWa6qOoqX5MztSs1diVqB1pjAKOL453oeLIvU0ir49Uh5hRQ+9zH6dCb2i3ywS1J //Rbe6fXSYX+W2rU4jtpCeyPaP6TgBJsLcoZYbAVk55grR3RWIi3h/DF6WCToFGC nNaJgQ4pT4C8YNItJxdQ1eHEDWWuKR6wF/WF4wR4iO/TK5KaGPE0i7tyr0Pcy9/1 Su3nzU/C79lyP0x/8ijSUO+11VFEgn5ULlY8FPIxZJnLY2amhVyA1zY5eyaVUlnF RBHD+50lr5LQlGCWBxUSzjTxFJzC6MpnscCHtOz9XG2P2d1x0qCiPFt0eeNGknTY 4J+0tISKb7cc1JMDzEOl =I6M5 -----END PGP SIGNATURE-----
0xB5B41FAA.asc
Description: application/pgp-keys
0xB5B41FAA.asc.sig
Description: PGP signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users