That config gets overwritten on upgrades though. Can freeipa expose
this
as a knob rather than users modifying config files directly ?
This is the proposal in the linked ticket.
And it is not guaranteed to be rewritten on every upgrade, just any
upgrade that touches the configuration template (so even more confusing).
rob
On Wed, Sep 22, 2021 at 10:03 PM Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
On ke, 22 syys 2021, Cutright, Jacob via FreeIPA-users wrote:
>Hello,
>
>I can also confirm this is a normal occurrence on Windows while using
>Chrome and Edge. Firefox, however, does not do this. It is a bit
confusing
>for new users of IPA as they will generally treat it as a login prompt,
>although it doesn't do anything for them. I have been curious about
this
>prompt, but haven't had a chance to look into it yet.
This is a bug in Windows browsers based on Chrome engine. It is known
for years and Chrome developers refused to fix it.
One thing you can do is to follow a recipe in
https://bugzilla.redhat.com/show_bug.cgi?id=1309041
...
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
BrowserMatch Windows gssapi-no-negotiate
...
Perhaps, we need to finally add this line to the default IPA
configuration as per
https://pagure.io/freeipa/issue/5614
>
>
>On Wed, Sep 22, 2021, 3:51 PM Sam Morris via FreeIPA-users <
>freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
>> > Florence Renaud via FreeIPA-users wrote:
>> > IIRC some browsers, notably on Windows, when the initial GSSAPI
>> > handshake fails because there is no ticket, may either throw an
error
>> > because they are trying NTLM auth or don't understand the basic
fallback.
>> >
>> > What browser(s) are you seeing the issue on?
>>
>> I see this on Windows 10 Home with Chrome 93.0.4577.82 (and older
>> versions).
>>
>> I get two login prompts - the first is caused by a POST to
>> /ipa/session/json resulting in a 401.
>>
>> The second is caused by a GET for /ipa/session/login_kerberos?_=<some
>> timestamp>.
>>
>> Both responses have the WWW-Authenticate: Negotiate header.
>>
>> I happen to have MIT Kerberos for Windows installed--that may or
may not
>> be relevant. I've not (as far as I remember) configured Chrome to
try to
>> use SPNEGO to talk to my IPA servers so this may not be relevant.
>>
>> --
>> Sam Morris <
https://robots.org.uk/>
>> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
>> _______________________________________________
>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
>>
https://pagure.io/fedora-infrastructure
>>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure