On 03/05/2015 07:36 PM, Dan Mossor wrote:
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <[email protected]
<mailto:[email protected]>> wrote:
On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <[email protected]
<mailto:[email protected]>> wrote:
On 03/05/2015 05:51 PM, Dan Mossor wrote:
As an additional test, I created a new user on my workstation
and switched to it. the first thing I did was kinit as admin,
then started Firefox, went through the browser configuration
provided by the IPA server, and attempted to log in. I
received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and on the
server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for that difference,
they are within 1 second of each other.
Dan
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot
access the GUI. Here is the krb5kdc.log from the period:
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: NEEDED_PREAUTH:
host/[email protected] for krbtgt/[email protected], Additional
pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
host/[email protected] for krbtgt/[email protected]
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
host/[email protected] for ldap/[email protected]
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: NEEDED_PREAUTH:
[email protected] for krbtgt/[email protected], Additional
pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
1425601765, etypes {rep=18 tkt=18 ses=18}, [email protected] for
krbtgt/[email protected]
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH:
HTTP/[email protected] for krbtgt/[email protected], Additional
pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/[email protected]
for krbtgt/[email protected]
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH:
[email protected] for krbtgt/[email protected], Additional
pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime
1425601784, etypes {rep=18 tkt=18 ses=18}, [email protected] for
krbtgt/[email protected]
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes
{18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime
1425601765, etypes {rep=18 tkt=18 ses=18}, [email protected] for
HTTP/[email protected]
One thing I did determine is the authtime in the krb5kdc log is epoch
time. I checked it, and it translates directly to the standard time.
Dan
Hm. OK.
I do not think there was ever mentioned which version of the server and
client you are running but based on the UI it seems like the latest.
Also you are trying to log in after using kinit. Can you log using forms
based authentication or it does not work too?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
