-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sorry for falling off like that. I opened a RedHat ticket on the issue, and have been running in circles with them. I forgot to check on the list for responses.
I'm still having problems. Someone suggested I try: kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.lafayette.edu Which i just did, and it worked, or, at least it initialized my session. I'm still unable to execute ipa commands. In fact, im unable to execute almost any ipa commands. The web interface works, but only after RedHat had me enable kerberos password auth in the httpd config. So i can now auth to the web gui interactively, instead of requiring a kinit from my workstion. The only real client i have here is RHEV. And auth there still works except on accounts which have expired. Those accounts, cant even change their passwords. RedHat had me disable the password expiration via the web gui, however that hasnt helped accounts that are already expired. RedHat is currently blaming time skew, which i think is ridiculous. Im testing my ipa commands right on the ipa master. How could there possible be time skew. I did find that the time on my replica was off, but my replica isnt working anyway, which is a whole other issue. I think it needs to be flattened, and re-joined. On 09/10/2012 08:54 AM, Dmitri Pal wrote: > On 08/24/2012 04:43 PM, Rob Crittenden wrote: >> Nathan Lager wrote: >>> This did not seem to help... >>> >> >> What else isn't working? Does the UI work? Do clients on other >> machines work? Does user lookup still work? >> >> rob > > > Was this issue ever resolved? > >> >>> >>> On 08/22/2012 06:02 PM, Rob Crittenden wrote: >>>> Nathan Lager wrote: >>>>> [root@ipaserver PROD krb5kdc]# ipactl status Directory >>>>> Service: RUNNING KDC Service: RUNNING KPASSWD Service: >>>>> RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA >>>>> Service: RUNNING [root@ipaserver PROD krb5kdc]# rpm -qa | >>>>> grep ipa-server ipa-server-selinux-2.2.0-16.el6.x86_64 >>>>> ipa-server-2.2.0-16.el6.x86_64 >>>> >>>> I'd try removing /tmp/krb5cc_48. This is the ccache used by >>>> Apache for doing S4U2Proxy. No restart of httpd should be >>>> required. >>>> >>>> rob >>>> >>>>> >>>>> >>>>> On 08/22/2012 04:08 PM, Rob Crittenden wrote: >>>>>> Nathan Lager wrote: >>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>>> >>>>>>> I tried the same, kinit, and then ipa passwd commands >>>>>>> as before, here's the output: >>>>>>> >>>>>>> Aug 22 14:32:13 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: NEEDED_PREAUTH: >>>>>>> lag...@systems.lafayette.edu for >>>>>>> krbtgt/systems.lafayette....@systems.lafayette.edu, >>>>>>> Additional pre-authentication required >>>>>>> >>>>>>> Aug 22 14:32:19 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): AS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes >>>>>>> {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu >>>>>>> for krbtgt/systems.lafayette....@systems.lafayette.edu >>>>>>> >>>>>>> Aug 22 14:32:35 ipaserver.lafayette.edu >>>>>>> krb5kdc[1438](info): TGS_REQ (4 etypes {18 17 16 23}) >>>>>>> ipa-servers-ip: ISSUE: authtime 1345660339, etypes >>>>>>> {rep=18 tkt=18 ses=18}, lag...@systems.lafayette.edu >>>>>>> for HTTP/ipaserver.lafayette....@systems.lafayette.edu >>>>>> >>>>>> What version of IPA is this? >>>>>> >>>>>> Does ipactl status show all services up? >>>>>> >>>>>> rob >>>>> >>>>> >>>> >>>> >>> >> >> >> _______________________________________________ Freeipa-users >> mailing list Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBYxkYACgkQsZqG4IN3sum8awCglRnww5OA84X8QbcNB/n1+e9w lrIAn1WMdwzeGeGmG07po0P5Xk1AikN/ =PEKm -----END PGP SIGNATURE----- _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users