On 03/05/2015 08:09 PM, Dan Mossor wrote:



On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 03/05/2015 07:36 PM, Dan Mossor wrote:
    On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofs...@gmail.com
    <mailto:danofs...@gmail.com>> wrote:



        On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <d...@redhat.com
        <mailto:d...@redhat.com>> wrote:

            On 03/05/2015 05:51 PM, Dan Mossor wrote:
            As an additional test, I created a new user on my
            workstation and switched to it. the first thing I did
            was kinit as admin, then started Firefox, went through
            the browser configuration provided by the IPA server,
            and attempted to log in. I received the same error[1].

            [1]http://i.imgur.com/mhX86Ng.png


            Have you checked times and time zones on the client and
            on the server?

-- Thank you,
            Dmitri Pal

            Sr. Engineering Manager IdM portfolio
            Red Hat, Inc.


        The server is set for GMT time, whereas the client is set for
        local time, US Central Standard Time. Except for that
        difference, they are within 1 second of each other.

        Dan

    As an experiment after this email exchange, I switched the server
    to Central Standard Time using timedatctl. I then ran kinit
    again, and attempted to log into the GUI. There was no change - I
    still cannot access the GUI. Here is the krb5kdc.log from the period:

    Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
    NEEDED_PREAUTH: host/dmfedora.rez....@rez.lcl
    <mailto:host/dmfedora.rez....@rez.lcl> for krbtgt/rez....@rez.lcl
    <mailto:krbtgt/rez....@rez.lcl>, Additional pre-authentication
    required
    Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
    authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
    host/dmfedora.rez....@rez.lcl
    <mailto:host/dmfedora.rez....@rez.lcl> for krbtgt/rez....@rez.lcl
    <mailto:krbtgt/rez....@rez.lcl>
    Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
    authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
    host/dmfedora.rez....@rez.lcl
    <mailto:host/dmfedora.rez....@rez.lcl> for
    ldap/vader.rez....@rez.lcl <mailto:ldap/vader.rez....@rez.lcl>
    Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
    NEEDED_PREAUTH: ad...@rez.lcl <mailto:ad...@rez.lcl> for
    krbtgt/rez....@rez.lcl <mailto:krbtgt/rez....@rez.lcl>,
    Additional pre-authentication required
    Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
    authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
    <mailto:ad...@rez.lcl> for krbtgt/rez....@rez.lcl
    <mailto:krbtgt/rez....@rez.lcl>
    Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH:
    repeated (retransmitted?) request from 10.1.1.15, resending
    previous response
    Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
    Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
    NEEDED_PREAUTH: HTTP/vader.rez....@rez.lcl
    <mailto:HTTP/vader.rez....@rez.lcl> for krbtgt/rez....@rez.lcl
    <mailto:krbtgt/rez....@rez.lcl>, Additional pre-authentication
    required
    Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
    authtime 1425601784, etypes {rep=18 tkt=18 ses=18},
    HTTP/vader.rez....@rez.lcl <mailto:HTTP/vader.rez....@rez.lcl>
    for krbtgt/rez....@rez.lcl <mailto:krbtgt/rez....@rez.lcl>
    Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
    NEEDED_PREAUTH: ad...@rez.lcl <mailto:ad...@rez.lcl> for
    krbtgt/rez....@rez.lcl <mailto:krbtgt/rez....@rez.lcl>,
    Additional pre-authentication required
    Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
    authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
    <mailto:ad...@rez.lcl> for krbtgt/rez....@rez.lcl
    <mailto:krbtgt/rez....@rez.lcl>
    Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
    etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
    authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
    <mailto:ad...@rez.lcl> for HTTP/vader.rez....@rez.lcl
    <mailto:HTTP/vader.rez....@rez.lcl>


    One thing I did determine is the authtime in the krb5kdc log is
    epoch time. I checked it, and it translates directly to the
    standard time.

    Dan

    Hm. OK.

    I do not think there was ever mentioned which version of the
    server and client you are running but based on the UI it seems
    like the latest.
    Also you are trying to log in after using kinit. Can you log using
    forms based authentication or it does not work too?


-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.

I can't seem to locate the form based authentication for 4.1.2-1 - I was going to try that in order to add the information to this thread, but I can find no reference as to where it is and I can't find it manually on the file system. Can you give me the default URL for it?

freeipa-server-4.1.2-1.fc21.x86_64
freeipa-client-4.1.2-1.fc21.x86_64

Dan
http://i.imgur.com/mhX86Ng.png

It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to