I have Fedora 16 installed with default firefox from repos (firefox-12.0-1.fc16.x86_64) and I'm unable to login.
I get a bit cryptic error "Missing or invalid HTTP Referer, missing". It seems that latest version of Firefox is not sending Referrer header (I've tried this also in safe mode and without extentions).
Without allowing Password Logins on server (KrbMethodK5Passwd On), I can't use IPA.
Does IPA really need the referrer header for login?
If it absolutely needs to, I'd prefer to see more user friendly messages about possible issues and help on how to solve them (advice on Firefox configuration changes if possible, pointer to changes server side, etc).
Also the error message that the referrer headers are "missing or invalid" is not very good for debugging. It does make a big difference if the browser is not sending some header at all or if it's corrupted.
The Apache error log /var/log/httpd/errors may have additional information on the source of the problem.
I'm not able to duplicate this. Can you install the Live HTTP headers (or similar) browser plugin to see what is being sent back and forth to the server?
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
I've installed Live HTTP headers, cleared my cache, logins and cookies and opened the page. Obviously, I've obfusted the hostname and hopefully removed my true login into.
There's one 404 in the logs, perhaps relevant?
GET /ipa/ui/develop.js HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Accept-Encoding: gzip, deflate
HTTP/1.1 404 Not Found
Date: Fri, 18 May 2012 15:45:12 GMT
Keep-Alive: timeout=5, max=97
Content-Type: text/html; charset=iso-8859-1
Full headers attached in a sec.
Created attachment 585446 [details]
Why is it sending a Basic auth header? Did you enable KrbMethodK5Passwd?
Yes I did. I wasn't able to login via negotiate (more info in comment #0).
I still can't login in FF, but I can login via password in Chrome as a workaround.
I don't know why Firefox wouldn't be sending a Referer header, Basic auth or not.
We require a Referer to prevent Cross-Site Request Forgery attacks.
Can you try creating a new profile in Firefox to see if that fixes things?
Can you go in about:config and check what's the value of Network.http.sendRefererHeader ?
It's set to 0 (user set, Integer; default is 2). I haven't touch this config, but I seem to recall that when I installed IPA it did some configuration changes to my browser to support negotiate.
May it be that it's calling some kind of 'toggle' instead of setting this to 1?
(if this is total nonsense, please ignore)
Hmm, in that case I'm not sure what caused this change in Firefox.
Yes, we can use this bug to track that feature.
Created attachment 689031 [details]
in about:confi value is set to 2
verified using ipa-server-3.0.0-22.el6.x86_64
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.