<html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 03/05/2015 08:09 PM, Dan Mossor wrote:<br> </div> <blockquote cite="mid:CAMobkEOtC7=QQ1vzbrE4vvvhGAGNBTYC8wcCR84Ca0t4qX6QeQ@mail.gmail.com" type="cite"> <div dir="ltr"><br> <div class="gmail_extra"><br> <div class="gmail_quote">On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div class="h5"> <div>On 03/05/2015 07:36 PM, Dan Mossor wrote:<br> </div> <blockquote type="cite"> <div dir="ltr"> <div class="gmail_extra"> <div class="gmail_quote">On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <span dir="ltr"><<a moz-do-not-send="true" href="mailto:danofsatx@gmail.com" target="_blank">danofsatx@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div dir="ltr"><br> <div class="gmail_extra"><br> <div class="gmail_quote"><span>On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true" href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> </span> <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> <div><span> <div>On 03/05/2015 05:51 PM, Dan Mossor wrote:<br> </div> </span><span> <blockquote type="cite"> <div dir="ltr"> <div class="gmail_extra"><font face="monospace,monospace">As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1].<br> <br> [1]<a moz-do-not-send="true" href="http://i.imgur.com/mhX86Ng.png" target="_blank">http://i.imgur.com/mhX86Ng.png</a><br> </font></div> </div> <br> <fieldset></fieldset> <br> </blockquote> </span></div> </div> <span> Have you checked times and time zones on the client and on the server?<span><br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </span></span></div> <br> </blockquote> </div> <font face="monospace,monospace"><font>The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other.</font></font><span><font color="#888888"><br> <br> </font></span></div> <div class="gmail_extra"><span><font color="#888888"><font face="monospace,monospace">Dan</font></font></span><br> </div> </div> </blockquote> </div> <font face="monospace,monospace">As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5</font>kdc.log from the period:<br> <br> <font face="monospace,monospace">Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.1.15" target="_blank">10.1.1.15</a>: NEEDED_PREAUTH: <a moz-do-not-send="true" href="mailto:host/dmfedora.rez.lcl@REZ.LCL" target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication required<br> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, <a moz-do-not-send="true" href="mailto:host/dmfedora.rez.lcl@REZ.LCL" target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, <a moz-do-not-send="true" href="mailto:host/dmfedora.rez.lcl@REZ.LCL" target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:ldap/vader.rez.lcl@REZ.LCL" target="_blank">ldap/vader.rez.lcl@REZ.LCL</a><br> Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.1.15" target="_blank">10.1.1.15</a>: NEEDED_PREAUTH: <a moz-do-not-send="true" href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication required<br> Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, <a moz-do-not-send="true" href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response<br> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12<br> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1" target="_blank">10.1.0.1</a>: NEEDED_PREAUTH: <a moz-do-not-send="true" href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication required<br> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1" target="_blank">10.1.0.1</a>: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, <a moz-do-not-send="true" href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1" target="_blank">10.1.0.1</a>: NEEDED_PREAUTH: <a moz-do-not-send="true" href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication required<br> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.0.1" target="_blank">10.1.0.1</a>: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, <a moz-do-not-send="true" href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true" href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, <a moz-do-not-send="true" href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a moz-do-not-send="true" href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a></font><br> <br> <br> </div> <div class="gmail_extra"><font face="monospace,monospace">One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time.<br> <br> </font></div> <div class="gmail_extra"><font face="monospace,monospace">Dan<br> </font></div> </div> </blockquote> <br> </div> </div> Hm. OK.<br> <br> I do not think there was ever mentioned which version of the server and client you are running but based on the UI it seems like the latest.<br> Also you are trying to log in after using kinit. Can you log using forms based authentication or it does not work too?<span class=""><br> <br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> <span style="font-family:monospace,monospace"> </span></span></div> <span style="font-family:monospace,monospace"> </span></blockquote> </div> <span style="font-family:monospace,monospace">I can't seem to locate the form based authentication for 4.1.2-1 - I was going to try that in order to add the information to this thread, but I can find no reference as to where it is and I can't find it manually on the file system. Can you give me the default URL for it?<br> <br> freeipa-server-4.1.2-1.fc21.x86_64<br> freeipa-client-4.1.2-1.fc21.x86_64<br> <br> </span></div> <div class="gmail_extra"><span style="font-family:monospace,monospace">Dan<br> </span></div> </div> </blockquote> <span><font face="monospace,monospace"><a href="http://i.imgur.com/mhX86Ng.png" target="_blank">http://i.imgur.com/mhX86Ng.png</a><br> <br> </font></span>It should show up if you do not have a ticket. Destroy the ticket on the client and try to access the server via browser, you should be redirected.<br> <br> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </body> </html>