<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <span dir="ltr"><<a href="mailto:danofsatx@gmail.com" target="_blank">danofsatx@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div><div><span class=""> <div>On 03/05/2015 05:51 PM, Dan Mossor wrote:<br> </div> </span><span class=""><blockquote type="cite"> <div dir="ltr"> <div class="gmail_extra"><font face="monospace,monospace">As an additional test, I created a new user on my workstation and switched to it. the first thing I did was kinit as admin, then started Firefox, went through the browser configuration provided by the IPA server, and attempted to log in. I received the same error[1].<br> <br> [1]<a href="http://i.imgur.com/mhX86Ng.png" target="_blank">http://i.imgur.com/mhX86Ng.png</a><br> </font></div> </div> <br> <fieldset></fieldset> <br> </blockquote></span></div></div><span class=""> Have you checked times and time zones on the client and on the server?<span><br> <br> <pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc.</pre> </span></span></div><br></blockquote></div><font face="monospace,monospace"><font>The server is set for GMT time, whereas the client is set for local time, US Central Standard Time. Except for that difference, they are within 1 second of each other.</font></font><span class=""><font color="#888888"><br><br></font></span></div><div class="gmail_extra"><span class=""><font color="#888888"><font face="monospace,monospace">Dan</font></font></span><br></div></div></blockquote></div><font face="monospace,monospace">As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5</font>kdc.log from the period:<br><br><font face="monospace,monospace">Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15">10.1.1.15</a>: NEEDED_PREAUTH: host/dmfedora.rez.lcl@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL, Additional pre-authentication required<br>Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez.lcl@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL<br>Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/dmfedora.rez.lcl@REZ.LCL for ldap/vader.rez.lcl@REZ.LCL<br>Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15">10.1.1.15</a>: NEEDED_PREAUTH: admin@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL, Additional pre-authentication required<br>Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, admin@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL<br>Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response<br>Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12<br>Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1">10.1.0.1</a>: NEEDED_PREAUTH: HTTP/vader.rez.lcl@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL, Additional pre-authentication required<br>Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1">10.1.0.1</a>: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez.lcl@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL<br>Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1">10.1.0.1</a>: NEEDED_PREAUTH: admin@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL, Additional pre-authentication required<br>Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1">10.1.0.1</a>: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, admin@REZ.LCL for krbtgt/REZ.LCL@REZ.LCL<br>Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15">10.1.1.15</a>: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, admin@REZ.LCL for HTTP/vader.rez.lcl@REZ.LCL</font><br><br><br></div><div class="gmail_extra"><font face="monospace,monospace">One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time.<br><br></font></div><div class="gmail_extra"><font face="monospace,monospace">Dan<br></font></div></div>