[Freeipa-users] Re: User login

2021-09-28 Thread Rob Crittenden via FreeIPA-users 
Prasun Gera via FreeIPA-users wrote:
> That config gets overwritten on upgrades though. Can freeipa expose this
> as a knob rather than users modifying config files directly ?

This is the proposal in the linked ticket.

And it is not guaranteed to be rewritten on every upgrade, just any
upgrade that touches the configuration template (so even more confusing).

rob

> 
> On Wed, Sep 22, 2021 at 10:03 PM Alexander Bokovoy via FreeIPA-users
>  > wrote:
> 
> On ke, 22 syys 2021, Cutright, Jacob via FreeIPA-users wrote:
> >Hello,
> >
> >I can also confirm this is a normal occurrence on Windows while using
> >Chrome and Edge. Firefox, however, does not do this. It is a bit
> confusing
> >for new users of IPA as they will generally treat it as a login prompt,
> >although it doesn't do anything for them. I have been curious about
> this
> >prompt, but haven't had a chance to look into it yet.
> 
> This is a bug in Windows browsers based on Chrome engine. It is known
> for years and Chrome developers refused to fix it.
> 
> One thing you can do is to follow a recipe in
> https://bugzilla.redhat.com/show_bug.cgi?id=1309041
> 
> ...
> 
>    AuthType GSSAPI
>    AuthName "Kerberos Login"
>    BrowserMatch Windows gssapi-no-negotiate
> ...
> 
> 
> Perhaps, we need to finally add this line to the default IPA
> configuration as per https://pagure.io/freeipa/issue/5614
> 
> >
> >
> >On Wed, Sep 22, 2021, 3:51 PM Sam Morris via FreeIPA-users <
> >freeipa-users@lists.fedorahosted.org
> > wrote:
> >
> >> > Florence Renaud via FreeIPA-users wrote:
> >> > IIRC some browsers, notably on Windows, when the initial GSSAPI
> >> > handshake fails because there is no ticket, may either throw an
> error
> >> > because they are trying NTLM auth or don't understand the basic
> fallback.
> >> >
> >> > What browser(s) are you seeing the issue on?
> >>
> >> I see this on Windows 10 Home with Chrome 93.0.4577.82 (and older
> >> versions).
> >>
> >> I get two login prompts - the first is caused by a POST to
> >> /ipa/session/json resulting in a 401.
> >>
> >> The second is caused by a GET for /ipa/session/login_kerberos?_= >> timestamp>.
> >>
> >> Both responses have the WWW-Authenticate: Negotiate header.
> >>
> >> I happen to have MIT Kerberos for Windows installed--that may or
> may not
> >> be relevant. I've not (as far as I remember) configured Chrome to
> try to
> >> use SPNEGO to talk to my IPA servers so this may not be relevant.
> >>
> >> --
> >> Sam Morris 
> >> PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
> >> ___
> >> FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org
> 
> >> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >>
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >> Do not reply to spam on the list, report it:
> >> https://pagure.io/fedora-infrastructure
> >>
> 
> 
> 
> 
> -- 
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> 
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> 
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: User login

2021-09-28 Thread Prasun Gera via FreeIPA-users 
That config gets overwritten on upgrades though. Can freeipa expose this as
a knob rather than users modifying config files directly ?

On Wed, Sep 22, 2021 at 10:03 PM Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On ke, 22 syys 2021, Cutright, Jacob via FreeIPA-users wrote:
> >Hello,
> >
> >I can also confirm this is a normal occurrence on Windows while using
> >Chrome and Edge. Firefox, however, does not do this. It is a bit confusing
> >for new users of IPA as they will generally treat it as a login prompt,
> >although it doesn't do anything for them. I have been curious about this
> >prompt, but haven't had a chance to look into it yet.
>
> This is a bug in Windows browsers based on Chrome engine. It is known
> for years and Chrome developers refused to fix it.
>
> One thing you can do is to follow a recipe in
> https://bugzilla.redhat.com/show_bug.cgi?id=1309041
>
> ...
> 
>AuthType GSSAPI
>AuthName "Kerberos Login"
>BrowserMatch Windows gssapi-no-negotiate
> ...
>
>
> Perhaps, we need to finally add this line to the default IPA
> configuration as per https://pagure.io/freeipa/issue/5614
>
> >
> >
> >On Wed, Sep 22, 2021, 3:51 PM Sam Morris via FreeIPA-users <
> >freeipa-users@lists.fedorahosted.org> wrote:
> >
> >> > Florence Renaud via FreeIPA-users wrote:
> >> > IIRC some browsers, notably on Windows, when the initial GSSAPI
> >> > handshake fails because there is no ticket, may either throw an error
> >> > because they are trying NTLM auth or don't understand the basic
> fallback.
> >> >
> >> > What browser(s) are you seeing the issue on?
> >>
> >> I see this on Windows 10 Home with Chrome 93.0.4577.82 (and older
> >> versions).
> >>
> >> I get two login prompts - the first is caused by a POST to
> >> /ipa/session/json resulting in a 401.
> >>
> >> The second is caused by a GET for /ipa/session/login_kerberos?_= >> timestamp>.
> >>
> >> Both responses have the WWW-Authenticate: Negotiate header.
> >>
> >> I happen to have MIT Kerberos for Windows installed--that may or may not
> >> be relevant. I've not (as far as I remember) configured Chrome to try to
> >> use SPNEGO to talk to my IPA servers so this may not be relevant.
> >>
> >> --
> >> Sam Morris 
> >> PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
> >> ___
> >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> >> Fedora Code of Conduct:
> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >>
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >> Do not reply to spam on the list, report it:
> >> https://pagure.io/fedora-infrastructure
> >>
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure