On 03/05/2015 07:36 PM, Dan Mossor wrote:
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofs...@gmail.com <mailto:danofs...@gmail.com>> wrote:




    On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <d...@redhat.com
    <mailto:d...@redhat.com>> wrote:

        On 03/05/2015 05:51 PM, Dan Mossor wrote:
        As an additional test, I created a new user on my workstation
        and switched to it. the first thing I did was kinit as admin,
        then started Firefox, went through the browser configuration
        provided by the IPA server, and attempted to log in. I
        received the same error[1].

        [1]http://i.imgur.com/mhX86Ng.png


        Have you checked times and time zones on the client and on the
        server?

-- Thank you,
        Dmitri Pal

        Sr. Engineering Manager IdM portfolio
        Red Hat, Inc.


    The server is set for GMT time, whereas the client is set for
    local time, US Central Standard Time. Except for that difference,
    they are within 1 second of each other.

    Dan

As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5kdc.log from the period:

Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: NEEDED_PREAUTH: host/dmfedora.rez....@rez.lcl for krbtgt/rez....@rez.lcl, Additional pre-authentication required Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez....@rez.lcl for krbtgt/rez....@rez.lcl Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez....@rez.lcl for ldap/vader.rez....@rez.lcl Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez....@rez.lcl, Additional pre-authentication required Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez....@rez.lcl Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH: HTTP/vader.rez....@rez.lcl for krbtgt/rez....@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez....@rez.lcl for krbtgt/rez....@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH: ad...@rez.lcl for krbtgt/rez....@rez.lcl, Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for krbtgt/rez....@rez.lcl Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl for HTTP/vader.rez....@rez.lcl


One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time.

Dan

Hm. OK.

I do not think there was ever mentioned which version of the server and client you are running but based on the UI it seems like the latest. Also you are trying to log in after using kinit. Can you log using forms based authentication or it does not work too?


--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to