Hi So there's nothing I can see in the access logs.
However, I get the following message in the KDC log Feb 15 14:05:49 ipa.example.com krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1: ISSUE: authtime 1360951549, etypes {rep=18 tkt=18 ses=18}, u...@example.com for krbtgt/example....@example.com and when I get a "kinit(v5): Cannot read password while getting initial credentials" error I see this error Feb 15 14:39:35 ipa.example.com krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1: NEEDED_PREAUTH: u...@example.com for kadmin/chang...@example.com, Additional pre-authentication required Interestingly enough when I try a 5.6 server running ipa-client-2.0.14.el5_7.2 and xmlrpc-c-client-1.16.24-1206.1840.el5 it works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client back to their 5.6 versions on the 5.8 server makes no difference. I guess looking at times it has worked I should be getting a TGS_REQ message in logs immediately after the AS_REQ. Any ideas or anything else I can check? Thanks Charlie On Wed, Feb 13, 2013 at 10:27 PM, Dmitri Pal <d...@redhat.com> wrote: > On 02/13/2013 04:57 PM, Charlie Derwent wrote: > > > > On Sun, Feb 10, 2013 at 1:48 AM, Rob Crittenden <rcrit...@redhat.com>wrote: > >> Charlie Derwent wrote: >> >>> Hi >>> Whenever I attempt an unattended installation with a principal and >>> password. The installation fails. >>> I'm using the following syntax for my command >>> ipa-client-install --domain=example.com <http://example.com> >>> --server=ipa.example.com <http://ipa.example.com> --realm=EXAMPLE.COM >>> <http://EXAMPLE.COM> --principal=user --password=pass -U >>> --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com >>> <http://server1.example.com> >>> >>> The error I get varies between (in order of frequency) >>> Joining realm failed: /usr/sbin/ipa-join: symbol lookup error: >>> /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user >>> and >>> >> >> This is the sort of thing that if you saw once, you should see every >> time. What version of xmlrpc-c-client is installed? >> >> >> > I agree I should be seeing it all the time it's very odd that I'm not, > the package is xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm > >> >> kinit(v5): Password incorrect while getting initial credentials >>> and >>> Password expired. you must change it now. >>> kinit(v5): Cannot read password while getting initial credentials >>> The password is 100% right as I can kinit on other servers and access >>> the webgui with the same details. >>> OTP's work flawlessly. >>> >> >> The KDC log might have more information. >> > I'm not in the office right now so I can't check the logs but I assume the > KDC log is actually on the IPA server? > > > yes > and the DS access logs too > > > Thanks > Charlie > >> >> > > > > > _______________________________________________ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users