On 03/05/2015 08:09 PM, Dan Mossor wrote:
On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal <d...@redhat.com
<mailto:d...@redhat.com>> wrote:
On 03/05/2015 07:36 PM, Dan Mossor wrote:
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofs...@gmail.com
<mailto:danofs...@gmail.com>> wrote:
On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <d...@redhat.com
<mailto:d...@redhat.com>> wrote:
On 03/05/2015 05:51 PM, Dan Mossor wrote:
As an additional test, I created a new user on my
workstation and switched to it. the first thing I did
was kinit as admin, then started Firefox, went through
the browser configuration provided by the IPA server,
and attempted to log in. I received the same error[1].
[1]http://i.imgur.com/mhX86Ng.png
Have you checked times and time zones on the client and
on the server?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
The server is set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for that
difference, they are within 1 second of each other.
Dan
As an experiment after this email exchange, I switched the server
to Central Standard Time using timedatctl. I then ran kinit
again, and attempted to log into the GUI. There was no change - I
still cannot access the GUI. Here is the krb5kdc.log from the period:
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
NEEDED_PREAUTH: host/dmfedora.rez....@rez.lcl
<mailto:host/dmfedora.rez....@rez.lcl> for krbtgt/rez....@rez.lcl
<mailto:krbtgt/rez....@rez.lcl>, Additional pre-authentication
required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
host/dmfedora.rez....@rez.lcl
<mailto:host/dmfedora.rez....@rez.lcl> for krbtgt/rez....@rez.lcl
<mailto:krbtgt/rez....@rez.lcl>
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
authtime 1425601734, etypes {rep=18 tkt=18 ses=18},
host/dmfedora.rez....@rez.lcl
<mailto:host/dmfedora.rez....@rez.lcl> for
ldap/vader.rez....@rez.lcl <mailto:ldap/vader.rez....@rez.lcl>
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>:
NEEDED_PREAUTH: ad...@rez.lcl <mailto:ad...@rez.lcl> for
krbtgt/rez....@rez.lcl <mailto:krbtgt/rez....@rez.lcl>,
Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
<mailto:ad...@rez.lcl> for krbtgt/rez....@rez.lcl
<mailto:krbtgt/rez....@rez.lcl>
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH:
repeated (retransmitted?) request from 10.1.1.15, resending
previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
NEEDED_PREAUTH: HTTP/vader.rez....@rez.lcl
<mailto:HTTP/vader.rez....@rez.lcl> for krbtgt/rez....@rez.lcl
<mailto:krbtgt/rez....@rez.lcl>, Additional pre-authentication
required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
authtime 1425601784, etypes {rep=18 tkt=18 ses=18},
HTTP/vader.rez....@rez.lcl <mailto:HTTP/vader.rez....@rez.lcl>
for krbtgt/rez....@rez.lcl <mailto:krbtgt/rez....@rez.lcl>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>:
NEEDED_PREAUTH: ad...@rez.lcl <mailto:ad...@rez.lcl> for
krbtgt/rez....@rez.lcl <mailto:krbtgt/rez....@rez.lcl>,
Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE:
authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
<mailto:ad...@rez.lcl> for krbtgt/rez....@rez.lcl
<mailto:krbtgt/rez....@rez.lcl>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE:
authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, ad...@rez.lcl
<mailto:ad...@rez.lcl> for HTTP/vader.rez....@rez.lcl
<mailto:HTTP/vader.rez....@rez.lcl>
One thing I did determine is the authtime in the krb5kdc log is
epoch time. I checked it, and it translates directly to the
standard time.
Dan
Hm. OK.
I do not think there was ever mentioned which version of the
server and client you are running but based on the UI it seems
like the latest.
Also you are trying to log in after using kinit. Can you log using
forms based authentication or it does not work too?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
I can't seem to locate the form based authentication for 4.1.2-1 - I
was going to try that in order to add the information to this thread,
but I can find no reference as to where it is and I can't find it
manually on the file system. Can you give me the default URL for it?
freeipa-server-4.1.2-1.fc21.x86_64
freeipa-client-4.1.2-1.fc21.x86_64
Dan
http://i.imgur.com/mhX86Ng.png
It should show up if you do not have a ticket. Destroy the ticket on the
client and try to access the server via browser, you should be redirected.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project