So I followed the directions to add it to my dev freeipa servers, restarted the httpd. But when I go to log in at https://myserver/idp as admin or myself, I get 401 Unauthorized no matter what. This is what I need to install the server: sudo ipsilon-server-install --openid --saml2 yes --ipa yes --info-nss yes
I see this in /var/log/messages:May 17 14:34:04 freeipa01-dev [sssd[ldap_child[9215]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:34:04 freeipa01-dev [sssd[ldap_child[9217]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev [sssd[ldap_child[9219]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:35:11 freeipa01-dev [sssd[ldap_child[9221]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev [sssd[ldap_child[9223]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:36:26 freeipa01-dev [sssd[ldap_child[9224]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev [sssd[ldap_child[9228]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:37:32 freeipa01-dev [sssd[ldap_child[9230]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev [sssd[ldap_child[9238]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:38:36 freeipa01-dev [sssd[ldap_child[9240]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev [sssd[ldap_child[9243]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection.May 17 14:39:37 freeipa01-dev [sssd[ldap_child[9245]]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Preauthentication failed. Unable to create GSSAPI-encrypted LDAP connection. This is what is in /var/log/http/error_log:[Thu May 17 13:55:56.263306 2018] [authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user andrew.meyer: Authentication failure, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=fe82e294-370f-4dfa-805d-01082b021a96[Thu May 17 13:55:59.673795 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/form[Thu May 17 13:56:05.735790 2018] [authnz_pam:warn] [pid 8829] [client 10.1.6.250:50562] PAM authentication failed for user admin: Error in service module, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=cc8808fc-c9b0-4d9e-b3da-4b01ba7e823b[Thu May 17 13:56:08.232387 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/form[Thu May 17 13:56:14.206573 2018] [auth_gssapi:error] [pid 8829] [client 10.1.6.250:50562] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=096ef2ce-e43e-488e-8421-533c90b4714a[Thu May 17 14:39:17.674883 2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/[Thu May 17 14:39:21.039126 2018] [auth_gssapi:error] [pid 8830] [client 10.1.6.250:51742] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa01-dev.example.local/idp/[Thu May 17 14:39:32.032374 2018] [authnz_pam:warn] [pid 8830] [client 10.1.6.250:51742] PAM authentication failed for user admin: Error in service module, referer: https://freeipa01-dev.example.local/idp/login/gssapi/negotiate?ipsilon_transaction_id=94fe5ec3-1608-4977-840a-8b186f4eee28 On Thursday, May 17, 2018 2:25 PM, Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: On to, 17 touko 2018, Andrew Meyer via FreeIPA-users wrote: >Has anyone installed this on their prod FreeIPA installation? I need >to hook FreeIPA into some other auth systems that don't support LDAP. I'm using FreeIPA with Ipsilon for quite a few years for my home setup. I even added integration for Ipsilon to HackMD: https://github.com/hackmdio/hackmd/pull/732 -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/Z6M4UWGBYZANLDZ5HPJCPWUHWVAI5T2Q/
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/AZZ4LAUNDEYLHBVJDWZMS4AXRWDFOSD3/
