<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
<div>On 03/05/2015 07:36 PM, Dan Mossor
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Thu, Mar 5, 2015 at 5:17 PM, Dan
Mossor <span dir="ltr"><<a href="mailto:danofsatx@gmail.com" target="_blank">danofsatx@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On Thu, Mar 5,
2015 at 4:55 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
</span>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div><span>
<div>On 03/05/2015 05:51 PM, Dan Mossor
wrote:<br>
</div>
</span><span>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra"><font face="monospace,monospace">As an
additional test, I created a new
user on my workstation and
switched to it. the first thing I
did was kinit as admin, then
started Firefox, went through the
browser configuration provided by
the IPA server, and attempted to
log in. I received the same
error[1].<br>
<br>
[1]<a href="http://i.imgur.com/mhX86Ng.png" target="_blank">http://i.imgur.com/mhX86Ng.png</a><br>
</font></div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</span></div>
</div>
<span> Have you checked times and time
zones on the client and on the server?<span><br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</span></span></div>
<br>
</blockquote>
</div>
<font face="monospace,monospace"><font>The server is
set for GMT time, whereas the client is set for
local time, US Central Standard Time. Except for
that difference, they are within 1 second of each
other.</font></font><span><font color="#888888"><br>
<br>
</font></span></div>
<div class="gmail_extra"><span><font color="#888888"><font face="monospace,monospace">Dan</font></font></span><br>
</div>
</div>
</blockquote>
</div>
<font face="monospace,monospace">As an experiment after this
email exchange, I switched the server to Central Standard
Time using timedatctl. I then ran kinit again, and attempted
to log into the GUI. There was no change - I still cannot
access the GUI. Here is the krb5</font>kdc.log from the
period:<br>
<br>
<font face="monospace,monospace">Mar 06 00:28:54 vader.rez.lcl
krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15" target="_blank">10.1.1.15</a>:
NEEDED_PREAUTH: <a href="mailto:host/dmfedora.rez.lcl@REZ.LCL" target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a> for
<a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional pre-authentication
required<br>
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
<a href="mailto:host/dmfedora.rez.lcl@REZ.LCL" target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a> for <a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ
(6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime
1425601734, etypes {rep=18 tkt=18 ses=18},
<a href="mailto:host/dmfedora.rez.lcl@REZ.LCL" target="_blank">host/dmfedora.rez.lcl@REZ.LCL</a> for <a href="mailto:ldap/vader.rez.lcl@REZ.LCL" target="_blank">ldap/vader.rez.lcl@REZ.LCL</a><br>
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15" target="_blank">10.1.1.15</a>: NEEDED_PREAUTH:
<a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional
pre-authentication required<br>
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime
1425601765, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for
<a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH:
repeated (retransmitted?) request from 10.1.1.15, resending
previous response<br>
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing
down fd 12<br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>: NEEDED_PREAUTH:
<a href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a> for <a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>,
Additional pre-authentication required<br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>: ISSUE: authtime
1425601784, etypes {rep=18 tkt=18 ses=18},
<a href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a> for <a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>: NEEDED_PREAUTH:
<a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for <a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a>, Additional
pre-authentication required<br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6
etypes {18 17 16 23 25 26}) <a href="http://10.1.0.1" target="_blank">10.1.0.1</a>: ISSUE: authtime
1425601784, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for
<a href="mailto:krbtgt/REZ.LCL@REZ.LCL" target="_blank">krbtgt/REZ.LCL@REZ.LCL</a><br>
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ
(6 etypes {18 17 16 23 25 26}) <a href="http://10.1.1.15" target="_blank">10.1.1.15</a>: ISSUE: authtime
1425601765, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:admin@REZ.LCL" target="_blank">admin@REZ.LCL</a> for
<a href="mailto:HTTP/vader.rez.lcl@REZ.LCL" target="_blank">HTTP/vader.rez.lcl@REZ.LCL</a></font><br>
<br>
<br>
</div>
<div class="gmail_extra"><font face="monospace,monospace">One
thing I did determine is the authtime in the krb5kdc log is
epoch time. I checked it, and it translates directly to the
standard time.<br>
<br>
</font></div>
<div class="gmail_extra"><font face="monospace,monospace">Dan<br>
</font></div>
</div>
</blockquote>
<br></div></div>
Hm. OK.<br>
<br>
I do not think there was ever mentioned which version of the server
and client you are running but based on the UI it seems like the
latest.<br>
Also you are trying to log in after using kinit. Can you log using
forms based authentication or it does not work too?<span class=""><br>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre><span style="font-family:monospace,monospace">
</span></span></div><span style="font-family:monospace,monospace">
</span></blockquote></div><span style="font-family:monospace,monospace">I can't seem to locate the form based authentication for 4.1.2-1 - I was going to try that in order to add the information to this thread, but I can find no reference as to where it is and I can't find it manually on the file system. Can you give me the default URL for it?<br><br>freeipa-server-4.1.2-1.fc21.x86_64<br>freeipa-client-4.1.2-1.fc21.x86_64<br><br></span></div><div class="gmail_extra"><span style="font-family:monospace,monospace">Dan<br></span></div></div>