<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
On 09/18/2012 03:06 PM, Nathan Lager wrote:<br>
<span style="white-space: pre;">> Sorry for falling off like
that.<br>
> I opened a RedHat ticket on the issue, and have been running
in<br>
> circles with them. I forgot to check on the list for
responses.<br>
><br>
><br>
> I'm still having problems. Someone suggested I try:<br>
><br>
> kinit -kt /etc/httpd/conf/ipa.keytab
HTTP/ipaserver.lafayette.edu<br>
><br>
> Which i just did, and it worked, or, at least it initialized
my session.<br>
><br>
> I'm still unable to execute ipa commands. In fact, im unable
to<br>
> execute almost any ipa commands.<br>
><br>
> The web interface works, but only after RedHat had me enable
kerberos<br>
> password auth in the httpd config. So i can now auth to the
web gui<br>
> interactively, instead of requiring a kinit from my
workstion.<br>
><br>
> The only real client i have here is RHEV. And auth there
still works<br>
> except on accounts which have expired. Those accounts, cant
even<br>
> change their passwords.<br>
><br>
> RedHat had me disable the password expiration via the web
gui, however<br>
> that hasnt helped accounts that are already expired.<br>
><br>
> RedHat is currently blaming time skew, which i think is
ridiculous.</span><br>
<br>
Well this is probably my fault. I looked in the case (it is huge)
and saw that there are issues with the time in the log so I
suggested they ask you to check the times to rule that part out. I
have not had a chance to follow up. But time skew usually creates
all sorts of strange things and if the time skew was the problem in
the past but some passwords were created then there might be
problems with the expiration.<br>
<br>
I was also very concerned about the framework not being able to get
kerberos ticket for whatever reason and the reason was not clear.<br>
<br>
<span style="white-space: pre;">> Im testing my ipa commands
right on the ipa master. How could there<br>
> possible be time skew.</span><br>
<br>
This was not clear from the case and also I asked to ask you just to
check the time on the server.<br>
<br>
<span style="white-space: pre;">> I did find that the time on my
replica was<br>
> off, but my replica isnt working anyway, which is a whole
other issue.<br>
> I think it needs to be flattened, and re-joined.</span><br>
<br>
OK let us treat it as a separate issue.<br>
<br>
<span style="white-space: pre;">><br>
><br>
> On 09/10/2012 08:54 AM, Dmitri Pal wrote:<br>
> > On 08/24/2012 04:43 PM, Rob Crittenden wrote:<br>
> >> Nathan Lager wrote:<br>
> >>> This did not seem to help...<br>
> >>><br>
> >><br>
> >> What else isn't working? Does the UI work? Do
clients on other<br>
> >> machines work? Does user lookup still work?<br>
> >><br>
> >> rob<br>
><br>
><br>
> > Was this issue ever resolved?<br>
><br>
> >><br>
> >>><br>
> >>> On 08/22/2012 06:02 PM, Rob Crittenden wrote:<br>
> >>>> Nathan Lager wrote:<br>
> >>>>> [root@ipaserver PROD krb5kdc]# ipactl
status Directory<br>
> >>>>> Service: RUNNING KDC Service: RUNNING
KPASSWD Service:<br>
> >>>>> RUNNING MEMCACHE Service: RUNNING HTTP
Service: RUNNING CA<br>
> >>>>> Service: RUNNING [root@ipaserver PROD
krb5kdc]# rpm -qa |<br>
> >>>>> grep ipa-server
ipa-server-selinux-2.2.0-16.el6.x86_64<br>
> >>>>> ipa-server-2.2.0-16.el6.x86_64<br>
> >>>><br>
> >>>> I'd try removing /tmp/krb5cc_48. This is the
ccache used by<br>
> >>>> Apache for doing S4U2Proxy. No restart of
httpd should be<br>
> >>>> required.<br>
> >>>><br>
> >>>> rob<br>
> >>>><br>
> >>>>><br>
> >>>>><br>
> >>>>> On 08/22/2012 04:08 PM, Rob Crittenden
wrote:<br>
> >>>>>> Nathan Lager wrote:<br>
> >>>>>>> -----BEGIN PGP SIGNED
MESSAGE----- Hash: SHA1<br>
> >>>>>>><br>
> >>>>>>> I tried the same, kinit, and
then ipa passwd commands<br>
> >>>>>>> as before, here's the output:<br>
> >>>>>>><br>
> >>>>>>> Aug 22 14:32:13
ipaserver.lafayette.edu<br>
> >>>>>>> krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23})<br>
> >>>>>>> ipa-servers-ip: NEEDED_PREAUTH:<br>
> >>>>>>> <a class="moz-txt-link-abbreviated" href="mailto:lagern@SYSTEMS.LAFAYETTE.EDU">lagern@SYSTEMS.LAFAYETTE.EDU</a> for<br>
> >>>>>>>
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/SYSTEMS.LAFAYETTE.EDU@SYSTEMS.LAFAYETTE.EDU">krbtgt/SYSTEMS.LAFAYETTE.EDU@SYSTEMS.LAFAYETTE.EDU</a>,<br>
> >>>>>>> Additional pre-authentication
required<br>
> >>>>>>><br>
> >>>>>>> Aug 22 14:32:19
ipaserver.lafayette.edu<br>
> >>>>>>> krb5kdc[1438](info): AS_REQ (4
etypes {18 17 16 23})<br>
> >>>>>>> ipa-servers-ip: ISSUE: authtime
1345660339, etypes<br>
> >>>>>>> {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:lagern@SYSTEMS.LAFAYETTE.EDU">lagern@SYSTEMS.LAFAYETTE.EDU</a><br>
> >>>>>>> for
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/SYSTEMS.LAFAYETTE.EDU@SYSTEMS.LAFAYETTE.EDU">krbtgt/SYSTEMS.LAFAYETTE.EDU@SYSTEMS.LAFAYETTE.EDU</a><br>
> >>>>>>><br>
> >>>>>>> Aug 22 14:32:35
ipaserver.lafayette.edu<br>
> >>>>>>> krb5kdc[1438](info): TGS_REQ (4
etypes {18 17 16 23})<br>
> >>>>>>> ipa-servers-ip: ISSUE: authtime
1345660339, etypes<br>
> >>>>>>> {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:lagern@SYSTEMS.LAFAYETTE.EDU">lagern@SYSTEMS.LAFAYETTE.EDU</a><br>
> >>>>>>> for
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/ipaserver.lafayette.edu@SYSTEMS.LAFAYETTE.EDU">HTTP/ipaserver.lafayette.edu@SYSTEMS.LAFAYETTE.EDU</a><br>
> >>>>>><br>
> >>>>>> What version of IPA is this?<br>
> >>>>>><br>
> >>>>>> Does ipactl status show all services
up?<br>
> >>>>>><br>
> >>>>>> rob<br>
> >>>>><br>
> >>>>><br>
> >>>><br>
> >>>><br>
> >>><br>
> >><br>
> >><br>
> >> _______________________________________________
Freeipa-users<br>
> >> mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> >>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></span><br>
<br>
- -- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
- -------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.14 (GNU/Linux)<br>
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a><br>
<br>
iQEcBAEBAgAGBQJQWba1AAoJEKRjuMOPSn1YTJEH/RJ1gw28L5ml0XF8I3XWXLgY<br>
49n2IWPGF8vIGC8pSx024F0hAGBBtrY9sQGROU53IkMpkmiJPPROmstCiEQBogbf<br>
6wcVq9EXqG+oIZHZOL5KXla+9a1Xy1o1pEx8m61j7mFexLa8i3LejwdK0lZETGuy<br>
Up21DWr1C1NBSPviD8IjRU1V8I15TL5skzO0BcAfzf7PNCFBsKzBJf5QO2ocb1WK<br>
CPXT1HdR4l/q1X2iPV33EHI+JmwDREpFCewSoMy3bBJGl4T7rIZKKzcI/dLRy3sH<br>
Wp8I3/e0bH0nm9mpkXday7qaxF1eepKEr+kJ5RpYUI2k8JJ7M3EKfFRGDORaQCU=<br>
=LHdS<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>