[Freeipa-users] Cannot obtain CA Certificate
Jan-Frode Myklebust
janfrode at tanso.net
Fri Mar 1 08:00:22 UTC 2013
On Wed, Feb 27, 2013 at 11:52:42AM +0100, Petr Spacek wrote:
> On 27.2.2013 11:34, Jan-Frode Myklebust wrote:
> >
> >I have a similar problem getting a couple of RHEL 6.4 clients working
> >with a 6.3 server (ipa-server-2.2.0-17.el6_3.1.x86_64). When doing the
> >ipa-client-install I get:
> >
> > * gss_init_sec_context() failed: : Request is a replay< WWW-Authenticate: Negotiate
> This is very suspicious. Could you double check time on all servers
> and the client?
The cause of this problem was that the router ACL was dropping the
kerberos return traffic from the ipa server. We had opening from client
to ipa-server port 88/udp, but not from ipa-server 88/udp to client high
port.
-jf
More information about the Freeipa-users
mailing list