[Freeipa-users] ui login error and questions about replication
Rob Crittenden
rcritten at redhat.com
Tue Nov 5 20:09:41 UTC 2013
Tamas Papp wrote:
>
> On 11/05/2013 03:58 PM, Rich Megginson wrote:
>> On 11/05/2013 07:53 AM, Tamas Papp wrote:
>>> On 11/05/2013 03:17 PM, Rich Megginson wrote:
>>>> https://fedorahosted.org/389/ticket/47516
>>>>
>>>> This has been fixed upstream and in some releases - to allow
>>>> replication to proceed despite excessive clock skew - what is your
>>>> 389-ds-base version and platform?
>>> What is the clock skewed? The date and time is the same on both
>>> machines.
>>
>> VMs are notorious for having the clocks get out of sync - even
>> temporarily.
>
> What do you mean by this?
> I definitely see the same time on the machines.
> Also I can see in the log, that the replication is resumed. There is no
> messages about the broken replication after the resume message.
You see the same time NOW. The logs were reflecting a difference at that
time.
>>>
>>> freeipa-admintools-3.3.2-1.fc19.x86_64
>>> freeipa-client-3.3.2-1.fc19.x86_64
>>> freeipa-python-3.3.2-1.fc19.x86_64
>>> freeipa-server-3.3.2-1.fc19.x86_64
>>> libipa_hbac-1.11.1-4.fc19.x86_64
>>> libipa_hbac-python-1.11.1-4.fc19.x86_64
>>> sssd-ipa-1.11.1-4.fc19.x86_64
>>> 389-ds-base-libs-1.3.1.12-1.fc19.x86_64
>>> 389-ds-base-1.3.1.12-1.fc19.x86_64
>>>
>>> Linux ipa31.bph.cxn 3.11.6-201.fc19.x86_64 #1 SMP Sat Nov 2 14:09:09 UTC
>>> 2013 x86_64 x86_64 x86_64 GNU/Linux
>>> Fedora 19.
>>>
>>>
>>> How can I fix it?
>>
>> ldapmodify -x -D "cn=directory manager" -W <<EOF
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-ignore-time-skew
>> nsslapd-ignore-time-skew: on
>> EOF
>>
>> Do this on all of your servers.
>
> I tried this, but no joy. Still not good:/
>
> What I really don't understand, why I cannot login to ui (or to an
> installed client machine) if the replication doesn't work.
> Is it a normal behaviour?
These issues are probably not related, unless perhaps the time skew is
also throwing off the Kerberos tickets and/or session cache in the IPA
framework.
You didn't say how you were trying to log into the UI. Are you using
Kerberos or the form-based authentication?
rob
More information about the Freeipa-users
mailing list