[Freeipa-users] Web UI Authentication errors - revisited
Dan Mossor
danofsatx at gmail.com
Fri Mar 6 00:36:35 UTC 2015
On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofsatx at gmail.com> wrote:
>
>
> On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 03/05/2015 05:51 PM, Dan Mossor wrote:
>>
>> As an additional test, I created a new user on my workstation and
>> switched to it. the first thing I did was kinit as admin, then started
>> Firefox, went through the browser configuration provided by the IPA server,
>> and attempted to log in. I received the same error[1].
>>
>> [1]http://i.imgur.com/mhX86Ng.png
>>
>>
>> Have you checked times and time zones on the client and on the server?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> The server is set for GMT time, whereas the client is set for local time,
> US Central Standard Time. Except for that difference, they are within 1
> second of each other.
>
> Dan
>
As an experiment after this email exchange, I switched the server to
Central Standard Time using timedatctl. I then ran kinit again, and
attempted to log into the GUI. There was no change - I still cannot access
the GUI. Here is the krb5kdc.log from the period:
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez.lcl at REZ.LCL for
krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18
ses=18}, host/dmfedora.rez.lcl at REZ.LCL for ldap/vader.rez.lcl at REZ.LCL
Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: admin at REZ.LCL for
krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
(retransmitted?) request from 10.1.1.15, resending previous response
Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez.lcl at REZ.LCL for
krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, HTTP/vader.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: admin at REZ.LCL for
krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
ses=18}, admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17
16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18
ses=18}, admin at REZ.LCL for HTTP/vader.rez.lcl at REZ.LCL
One thing I did determine is the authtime in the krb5kdc log is epoch time.
I checked it, and it translates directly to the standard time.
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/a0de0847/attachment.htm>
More information about the Freeipa-users
mailing list