<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/05/2015 07:36 PM, Dan Mossor
wrote:<br>
</div>
<blockquote
cite="mid:CAMobkEP=_xSGhUebPhwBpsee5OqUk3ZP+vFiR4_zvTG0=Np2Cg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Thu, Mar 5, 2015 at 5:17 PM, Dan
Mossor <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:danofsatx@gmail.com" target="_blank">danofsatx@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span class="">On Thu, Mar 5,
2015 at 4:55 PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
</span>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div><span class="">
<div>On 03/05/2015 05:51 PM, Dan Mossor
wrote:<br>
</div>
</span><span class="">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra"><font
face="monospace,monospace">As an
additional test, I created a new
user on my workstation and
switched to it. the first thing I
did was kinit as admin, then
started Firefox, went through the
browser configuration provided by
the IPA server, and attempted to
log in. I received the same
error[1].<br>
<br>
[1]<a moz-do-not-send="true"
href="http://i.imgur.com/mhX86Ng.png"
target="_blank">http://i.imgur.com/mhX86Ng.png</a><br>
</font></div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</span></div>
</div>
<span class=""> Have you checked times and time
zones on the client and on the server?<span><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></span></div>
<br>
</blockquote>
</div>
<font face="monospace,monospace"><font>The server is
set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for
that difference, they are within 1 second of each
other.</font></font><span class=""><font
color="#888888"><br>
<br>
</font></span></div>
<div class="gmail_extra"><span class=""><font
color="#888888"><font face="monospace,monospace">Dan</font></font></span><br>
</div>
</div>
</blockquote>
</div>
<font face="monospace,monospace">As an experiment after this
email exchange, I switched the server to Central Standard
Time using timedatctl. I then ran kinit again, and attempted
to log into the GUI. There was no change - I still cannot
access the GUI. Here is the krb5</font>kdc.log from the
period:<br>
<br>
<font face="monospace,monospace">Mar 06 00:28:54 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a
moz-do-not-send="true" href="http://10.1.1.15">10.1.1.15</a>:
NEEDED_PREAUTH: <a class="moz-txt-link-abbreviated" href="mailto:host/dmfedora.rez.lcl@REZ.LCL">host/dmfedora.rez.lcl@REZ.LCL</a> for
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication
required<br>
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:host/dmfedora.rez.lcl@REZ.LCL">host/dmfedora.rez.lcl@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ
(6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:host/dmfedora.rez.lcl@REZ.LCL">host/dmfedora.rez.lcl@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:ldap/vader.rez.lcl@REZ.LCL">ldap/vader.rez.lcl@REZ.LCL</a><br>
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15">10.1.1.15</a>: NEEDED_PREAUTH:
<a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a>, Additional
pre-authentication required<br>
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime
1425601765, etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> for
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH:
repeated (retransmitted?) request from 10.1.1.15, resending
previous response<br>
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing
down fd 12<br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1">10.1.0.1</a>: NEEDED_PREAUTH:
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/vader.rez.lcl@REZ.LCL">HTTP/vader.rez.lcl@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional pre-authentication required<br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1">10.1.0.1</a>: ISSUE: authtime
1425601784, etypes {rep=18 tkt=18 ses=18},
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/vader.rez.lcl@REZ.LCL">HTTP/vader.rez.lcl@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1">10.1.0.1</a>: NEEDED_PREAUTH:
<a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a>, Additional
pre-authentication required<br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.0.1">10.1.0.1</a>: ISSUE: authtime
1425601784, etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> for
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/REZ.LCL@REZ.LCL">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ
(6 etypes {18 17 16 23 25 26}) <a moz-do-not-send="true"
href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime
1425601765, etypes {rep=18 tkt=18 ses=18}, <a class="moz-txt-link-abbreviated" href="mailto:admin@REZ.LCL">admin@REZ.LCL</a> for
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/vader.rez.lcl@REZ.LCL">HTTP/vader.rez.lcl@REZ.LCL</a></font><br>
<br>
<br>
</div>
<div class="gmail_extra"><font face="monospace,monospace">One
thing I did determine is the authtime in the krb5kdc log is
epoch time. I checked it, and it translates directly to the
standard time.<br>
<br>
</font></div>
<div class="gmail_extra"><font face="monospace,monospace">Dan<br>
</font></div>
</div>
</blockquote>
<br>
Hm. OK.<br>
<br>
I do not think there was ever mentioned which version of the server
and client you are running but based on the UI it seems like the
latest.<br>
Also you are trying to log in after using kinit. Can you log using
forms based authentication or it does not work too?<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>