[Freeipa-users] Web UI Authentication errors - revisited

Dan Mossor danofsatx at gmail.com
Fri Mar 6 01:09:19 UTC 2015 

On Thu, Mar 5, 2015 at 6:44 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 03/05/2015 07:36 PM, Dan Mossor wrote:
>
>  On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <danofsatx at gmail.com> wrote:
>
>>
>>
>> On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>
>>>   On 03/05/2015 05:51 PM, Dan Mossor wrote:
>>>
>>>  As an additional test, I created a new user on my workstation and
>>> switched to it. the first thing I did was kinit as admin, then started
>>> Firefox, went through the browser configuration provided by the IPA server,
>>> and attempted to log in. I received the same error[1].
>>>
>>> [1]http://i.imgur.com/mhX86Ng.png
>>>
>>>
>>>   Have you checked times and time zones on the client and on the server?
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>>
>>>
>>>  The server is set for GMT time, whereas the client is set for local
>> time, US Central Standard Time. Except for that difference, they are within
>> 1 second of each other.
>>
>>  Dan
>>
>  As an experiment after this email exchange, I switched the server to
> Central Standard Time using timedatctl. I then ran kinit again, and
> attempted to log into the GUI. There was no change - I still cannot access
> the GUI. Here is the krb5kdc.log from the period:
>
> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/dmfedora.rez.lcl at REZ.LCL
> for krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
> tkt=18 ses=18}, host/dmfedora.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
> Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
> 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18
> tkt=18 ses=18}, host/dmfedora.rez.lcl at REZ.LCL for
> ldap/vader.rez.lcl at REZ.LCL
> Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: admin at REZ.LCL for
> krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
> Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
> tkt=18 ses=18}, admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated
> (retransmitted?) request from 10.1.1.15, resending previous response
> Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/vader.rez.lcl at REZ.LCL for
> krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
> ses=18}, HTTP/vader.rez.lcl at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: admin at REZ.LCL for
> krbtgt/REZ.LCL at REZ.LCL, Additional pre-authentication required
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17
> 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18
> ses=18}, admin at REZ.LCL for krbtgt/REZ.LCL at REZ.LCL
> Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18
> 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18
> tkt=18 ses=18}, admin at REZ.LCL for HTTP/vader.rez.lcl at REZ.LCL
>
>
>  One thing I did determine is the authtime in the krb5kdc log is epoch
> time. I checked it, and it translates directly to the standard time.
>
>  Dan
>
>
> Hm. OK.
>
> I do not think there was ever mentioned which version of the server and
> client you are running but based on the UI it seems like the latest.
> Also you are trying to log in after using kinit. Can you log using forms
> based authentication or it does not work too?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>  I can't seem to locate the form based authentication for 4.1.2-1 - I was
going to try that in order to add the information to this thread, but I can
find no reference as to where it is and I can't find it manually on the
file system. Can you give me the default URL for it?

freeipa-server-4.1.2-1.fc21.x86_64
freeipa-client-4.1.2-1.fc21.x86_64

Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150305/b9a8af82/attachment.htm>

More information about the Freeipa-users mailing list