<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/05/2015 08:09 PM, Dan Mossor
wrote:<br>
</div>
<blockquote
cite="mid:CAMobkEOtC7=QQ1vzbrE4vvvhGAGNBTYC8wcCR84Ca0t4qX6QeQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Mar 5, 2015 at 6:44 PM,
Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 03/05/2015 07:36 PM, Dan Mossor wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Thu, Mar 5, 2015
at 5:17 PM, Dan Mossor <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:danofsatx@gmail.com"
target="_blank">danofsatx@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On Thu,
Mar 5, 2015 at 4:55 PM, Dmitri Pal
<span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
</span>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000">
<div>
<div><span>
<div>On 03/05/2015 05:51
PM, Dan Mossor wrote:<br>
</div>
</span><span>
<blockquote type="cite">
<div dir="ltr">
<div
class="gmail_extra"><font
face="monospace,monospace">As an additional test, I created a new user
on my workstation
and switched to
it. the first
thing I did was
kinit as admin,
then started
Firefox, went
through the
browser
configuration
provided by the
IPA server, and
attempted to log
in. I received the
same error[1].<br>
<br>
[1]<a
moz-do-not-send="true"
href="http://i.imgur.com/mhX86Ng.png" target="_blank">http://i.imgur.com/mhX86Ng.png</a><br>
</font></div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</span></div>
</div>
<span> Have you checked times
and time zones on the client
and on the server?<span><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></span></div>
<br>
</blockquote>
</div>
<font face="monospace,monospace"><font>The
server is set for GMT time,
whereas the client is set for
local time, US Central Standard
Time. Except for that difference,
they are within 1 second of each
other.</font></font><span><font
color="#888888"><br>
<br>
</font></span></div>
<div class="gmail_extra"><span><font
color="#888888"><font
face="monospace,monospace">Dan</font></font></span><br>
</div>
</div>
</blockquote>
</div>
<font face="monospace,monospace">As an
experiment after this email exchange, I
switched the server to Central Standard Time
using timedatctl. I then ran kinit again,
and attempted to log into the GUI. There was
no change - I still cannot access the GUI.
Here is the krb5</font>kdc.log from the
period:<br>
<br>
<font face="monospace,monospace">Mar 06
00:28:54 vader.rez.lcl krb5kdc[1073](info):
AS_REQ (6 etypes {18 17 16 23 25 26}) <a
moz-do-not-send="true"
href="http://10.1.1.15" target="_blank">10.1.1.15</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:host/dmfedora.rez.lcl@REZ.LCL"
target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a>
for <a moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional pre-authentication required<br>
Mar 06 00:28:54 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15" target="_blank">10.1.1.15</a>:
ISSUE: authtime 1425601734, etypes {rep=18
tkt=18 ses=18}, <a moz-do-not-send="true"
href="mailto:host/dmfedora.rez.lcl@REZ.LCL"
target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a>
for <a moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 06 00:28:54 vader.rez.lcl
krb5kdc[1073](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15" target="_blank">10.1.1.15</a>:
ISSUE: authtime 1425601734, etypes {rep=18
tkt=18 ses=18}, <a moz-do-not-send="true"
href="mailto:host/dmfedora.rez.lcl@REZ.LCL"
target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a>
for <a moz-do-not-send="true"
href="mailto:ldap/vader.rez.lcl@REZ.LCL"
target="_blank">ldap/vader.rez.lcl@REZ.LCL</a><br>
Mar 05 18:29:20 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15" target="_blank">10.1.1.15</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a> for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional pre-authentication required<br>
Mar 05 18:29:25 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15" target="_blank">10.1.1.15</a>:
ISSUE: authtime 1425601765, etypes {rep=18
tkt=18 ses=18}, <a moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a> for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:26 vader.rez.lcl
krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15,
resending previous response<br>
Mar 05 18:29:26 vader.rez.lcl
krb5kdc[1073](info): closing down fd 12<br>
Mar 05 18:29:44 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:HTTP/vader.rez.lcl@REZ.LCL"
target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a>
for <a moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional pre-authentication required<br>
Mar 05 18:29:44 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
ISSUE: authtime 1425601784, etypes {rep=18
tkt=18 ses=18}, <a moz-do-not-send="true"
href="mailto:HTTP/vader.rez.lcl@REZ.LCL"
target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a>
for <a moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:44 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
NEEDED_PREAUTH: <a moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a> for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional pre-authentication required<br>
Mar 05 18:29:44 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1" target="_blank">10.1.0.1</a>:
ISSUE: authtime 1425601784, etypes {rep=18
tkt=18 ses=18}, <a moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a> for <a
moz-do-not-send="true"
href="mailto:krbtgt/REZ.LCL@REZ.LCL"
target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:44 vader.rez.lcl
krb5kdc[1073](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15" target="_blank">10.1.1.15</a>:
ISSUE: authtime 1425601765, etypes {rep=18
tkt=18 ses=18}, <a moz-do-not-send="true"
href="mailto:admin@REZ.LCL"
target="_blank">admin@REZ.LCL</a> for <a
moz-do-not-send="true"
href="mailto:HTTP/vader.rez.lcl@REZ.LCL"
target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a></font><br>
<br>
<br>
</div>
<div class="gmail_extra"><font
face="monospace,monospace">One thing I did
determine is the authtime in the krb5kdc log
is epoch time. I checked it, and it
translates directly to the standard time.<br>
<br>
</font></div>
<div class="gmail_extra"><font
face="monospace,monospace">Dan<br>
</font></div>
</div>
</blockquote>
<br>
</div>
</div>
Hm. OK.<br>
<br>
I do not think there was ever mentioned which version of
the server and client you are running but based on the
UI it seems like the latest.<br>
Also you are trying to log in after using kinit. Can you
log using forms based authentication or it does not work
too?<span class=""><br>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
<span style="font-family:monospace,monospace"> </span></span></div>
<span style="font-family:monospace,monospace">
</span></blockquote>
</div>
<span style="font-family:monospace,monospace">I can't seem to
locate the form based authentication for 4.1.2-1 - I was
going to try that in order to add the information to this
thread, but I can find no reference as to where it is and I
can't find it manually on the file system. Can you give me
the default URL for it?<br>
<br>
freeipa-server-4.1.2-1.fc21.x86_64<br>
freeipa-client-4.1.2-1.fc21.x86_64<br>
<br>
</span></div>
<div class="gmail_extra"><span
style="font-family:monospace,monospace">Dan<br>
</span></div>
</div>
</blockquote>
<span><font face="monospace,monospace"><a
href="http://i.imgur.com/mhX86Ng.png" target="_blank">http://i.imgur.com/mhX86Ng.png</a><br>
<br>
</font></span>It should show up if you do not have a ticket.
Destroy the ticket on the client and try to access the server via
browser, you should be redirected.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>