On Fri, Feb 15, 2013 at 6:56 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Charlie Derwent wrote:
>
>> Hi
>> So there's nothing I can see in the access logs.
>> However, I get the following message in the KDC log
>> Feb 15 14:05:49 ipa.example.com <http://ipa.example.com/>
>>
>> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
>> 13}) 192.168.0.1 <http://192.168.0.1/>: ISSUE: authtime 1360951549,
>>
>> etypes {rep=18 tkt=18 ses=18}, u...@example.com
>> <mailto:u...@example.com> for krbtgt/example....@example.com
>> <mailto:krbtgt/EXAMPLE.COM@**EXAMPLE.COM <example....@example.com>>
>>
>> and when I get a "kinit(v5): Cannot read password while getting initial
>> credentials" error I see this error
>> Feb 15 14:39:35 ipa.example.com <http://ipa.example.com/>
>>
>> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12
>> 13}) 192.168.0.1 <http://192.168.0.1/>: NEEDED_PREAUTH: u...@example.com
>> <mailto:u...@example.com> for kadmin/chang...@example.com
>> <mailto:kadmin/changepw@**EXAMPLE.COM <chang...@example.com>>,
>> Additional pre-authentication required
>>
>> Interestingly enough when I try a 5.6 server running
>> ipa-client-2.0.14.el5_7.2 and  xmlrpc-c-client-1.16.24-1206.**1840.el5 it
>> works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client
>> back to their 5.6 versions on the 5.8 server makes no difference. I
>> guess looking at times it has worked I should be getting a TGS_REQ
>> message in logs immediately after the AS_REQ.
>> Any ideas or anything else I can check?
>> Thanks
>> Charliez
>>
>
> Are you seeing this failure only on this one 5.8 box or on others as well?
>
> The linker error is totally bizarre and I'm not sure why you'd get it
> infrequently.
>
> Does /var/log/ipaclient-install.log contain any additional information
> when things fail?
>
> rob
>
>
On a whole host of 5.8 boxes. I'm 99.9% sure the ipaclient-install.log
didn't throw up anything I hadn't seen running the installer in debug mode
and then mentioned in the original e-mail but I'll double check that when
I'm in the office on Monday.

Dmitri, I'll triple check the date/timezone settings. I know the times
match using the date command, but I haven't checked inside the localtime
and clock files, all our servers should be set to UTC someone is getting
fired out of a cannon if I find one that isn't. It's worth mentioning that
we don't use the ntp function of the IPA server as we're running them
inside VMs. All servers get there time from elsewhere.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to