On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofs...@gmail.com> wrote:

>
>
> On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <d...@redhat.com> wrote:
>
>>  On 03/05/2015 05:51 PM, Dan Mossor wrote:
>>
>>  As an additional test, I created a new user on my workstation and
>> switched to it. the first thing I did was kinit as admin, then started
>> Firefox, went through the browser configuration provided by the IPA server,
>> and attempted to log in. I received the same error[1].
>>
>> [1]http://i.imgur.com/mhX86Ng.png
>>
>>
>>  Have you checked times and time zones on the client and on the server?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> The server is set for GMT time, whereas the client is set for local time,
> US Central Standard Time. Except for that difference, they are within 1
> second of each other.
>
> Dan
>
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot access
the GUI. Here is the krb5kdc.log from the period:

Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez....@rez.lcl for
krbtgt/rez....@rez.lcl, Additional pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez....@rez.lcl for krbtgt/rez....@rez.lcl
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez....@rez.lcl for ldap/vader.rez....@rez.lcl
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez....@rez.lcl, Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for krbtgt/rez....@rez.lcl
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez....@rez.lcl for
krbtgt/rez....@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, HTTP/vader.rez....@rez.lcl for krbtgt/rez....@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: ad...@rez.lcl for
krbtgt/rez....@rez.lcl, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for krbtgt/rez....@rez.lcl
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, ad...@rez.lcl for HTTP/vader.rez....@rez.lcl


One thing I did determine is the authtime in the krb5kdc log is epoch time.
I checked it, and it translates directly to the standard time.

Dan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to