[Freeipa-users] Web UI Authentication errors - revisited

Dmitri Pal dpal at redhat.com
Fri Mar 6 00:44:31 UTC 2015 

On 03/05/2015 07:36 PM, Dan Mossor wrote:
> On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofsatx at gmail.com 
> <mailto:danofsatx at gmail.com>> wrote:
>
>
>
>     On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <dpal at redhat.com
>     <mailto:dpal at redhat.com>> wrote:
>
>         On 03/05/2015 05:51 PM, Dan Mossor wrote:
>>         As an additional test, I created a new user on my workstation
>>         and switched to it. the first thing I did was kinit as admin,
>>         then started Firefox, went through the browser configuration
>>         provided by the IPA server, and attempted to log in. I
>>         received the same error[1].
>>
>>         [1]http://i.imgur.com/mhX86Ng.png
>>
>>
>         Have you checked times and time zones on the client and on the
>         server?
>
>         -- 
>         Thank you,
>         Dmitri Pal
>
>         Sr. Engineering Manager IdM portfolio
>         Red Hat, Inc.
>
>
>     The server is set for GMT time, whereas the client is set for
>     local time, US Central Standard Time. Except for that difference,
>     they are within 1 second of each other.
>
>     Dan
>
> As an experiment after this email exchange, I switched the server to 
> Central Standard Time using timedatctl. I then ran kinit again, and 
> attempted to log into the GUI. There was no change - I still cannot 
> access the GUI. Here is the krb5kdc.log from the period:
>
> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: NEEDED_PREAUTH: 
> host/dmfedora.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL, Additional 
> pre-authentication required
> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 
> 1425601734, etypes {rep=18 tkt=18 ses=18}, 
> host/dmfedora.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 
> 1425601734, etypes {rep=18 tkt=18 ses=18}, 
> host/dmfedora.rez.lcl at REZ.LCL for ldap/vader.rez.lcl at REZ.LCL
> Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: NEEDED_PREAUTH: 
> admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL, Additional 
> pre-authentication required
> Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 
> 1425601765, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL for 
> krbtgt/REZ.LCL at REZ.LCL
> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated 
> (retransmitted?) request from 10.1.1.15, resending previous response
> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH: 
> HTTP/vader.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL, Additional 
> pre-authentication required
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime 
> 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/vader.rez.lcl at REZ.LCL 
> for krbtgt/REZ.LCL at REZ.LCL
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: NEEDED_PREAUTH: 
> admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL, Additional 
> pre-authentication required
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.0.1 <http://10.1.0.1>: ISSUE: authtime 
> 1425601784, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL for 
> krbtgt/REZ.LCL at REZ.LCL
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes 
> {18 17 16 23 25 26}) 10.1.1.15 <http://10.1.1.15>: ISSUE: authtime 
> 1425601765, etypes {rep=18 tkt=18 ses=18}, admin at REZ.LCL for 
> HTTP/vader.rez.lcl at REZ.LCL
>
>
> One thing I did determine is the authtime in the krb5kdc log is epoch 
> time. I checked it, and it translates directly to the standard time.
>
> Dan

Hm. OK.

I do not think there was ever mentioned which version of the server and 
client you are running but based on the UI it seems like the latest.
Also you are trying to log in after using kinit. Can you log using forms 
based authentication or it does not work too?


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/9bfe881d/attachment.htm>

More information about the Freeipa-users mailing list