Hi
So there's nothing I can see in the access logs.
However, I get the following message in the KDC log
Feb 15 14:05:49 ipa.example.com krb5kdc[1749](info): AS_REQ (12 etypes {18
17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1: ISSUE: authtime 1360951549,
etypes {rep=18 tkt=18 ses=18}, u...@example.com for
krbtgt/example....@example.com
and when I get a "kinit(v5): Cannot read password while getting initial
credentials" error I see this error
Feb 15 14:39:35 ipa.example.com krb5kdc[1749](info): AS_REQ (12 etypes {18
17 16 23 1 3 2 11 10 15 12 13}) 192.168.0.1: NEEDED_PREAUTH:
u...@example.com for kadmin/chang...@example.com, Additional
pre-authentication required
Interestingly enough when I try a 5.6 server running
ipa-client-2.0.14.el5_7.2 and xmlrpc-c-client-1.16.24-1206.1840.el5 it
works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client back
to their 5.6 versions on the 5.8 server makes no difference. I guess
looking at times it has worked I should be getting a TGS_REQ message in
logs immediately after the AS_REQ.
Any ideas or anything else I can check?
Thanks
Charlie
On Wed, Feb 13, 2013 at 10:27 PM, Dmitri Pal <d...@redhat.com> wrote:
> On 02/13/2013 04:57 PM, Charlie Derwent wrote:
>
>
>
> On Sun, Feb 10, 2013 at 1:48 AM, Rob Crittenden <rcrit...@redhat.com>wrote:
>
>> Charlie Derwent wrote:
>>
>>> Hi
>>> Whenever I attempt an unattended installation with a principal and
>>> password. The installation fails.
>>> I'm using the following syntax for my command
>>> ipa-client-install --domain=example.com <http://example.com>
>>> --server=ipa.example.com <http://ipa.example.com> --realm=EXAMPLE.COM
>>> <http://EXAMPLE.COM> --principal=user --password=pass -U
>>> --ntp-server=123.123.123.123 --mkhomedir --hostname=server1.example.com
>>> <http://server1.example.com>
>>>
>>> The error I get varies between (in order of frequency)
>>> Joining realm failed: /usr/sbin/ipa-join: symbol lookup error:
>>> /usr/sbin/ipa-join: undefined symbol: xmlrpc_server_info_set_user
>>> and
>>>
>>
>> This is the sort of thing that if you saw once, you should see every
>> time. What version of xmlrpc-c-client is installed?
>>
>>
>>
> I agree I should be seeing it all the time it's very odd that I'm not,
> the package is xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm
>
>>
>> kinit(v5): Password incorrect while getting initial credentials
>>> and
>>> Password expired. you must change it now.
>>> kinit(v5): Cannot read password while getting initial credentials
>>> The password is 100% right as I can kinit on other servers and access
>>> the webgui with the same details.
>>> OTP's work flawlessly.
>>>
>>
>> The KDC log might have more information.
>>
> I'm not in the office right now so I can't check the logs but I assume the
> KDC log is actually on the IPA server?
>
>
> yes
> and the DS access logs too
>
>
> Thanks
> Charlie
>
>>
>>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
