<div dir="ltr"><div>Hi </div><div> </div><div>So there's nothing I can see in the access logs.</div><div> </div><div>However, I get the following message in the KDC log</div><div> </div><div>Feb 15 14:05:49 <a href="http://ipa.example.com/" target="_blank"><font color="#0066cc">ipa.example.com</font></a> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) <a href="http://192.168.0.1/" target="_blank"><font color="#0066cc">192.168.0.1</font></a>: ISSUE: authtime 1360951549, etypes {rep=18 tkt=18 ses=18}, <a href="mailto:user@EXAMPLE.COM" target="_blank"><font color="#0066cc">user@EXAMPLE.COM</font></a> for <a href="mailto:krbtgt/EXAMPLE.COM@EXAMPLE.COM" target="_blank"><font color="#0066cc">krbtgt/EXAMPLE.COM@EXAMPLE.COM</font></a> </div>

<div> </div><div>and when I get a "kinit(v5): Cannot read password while getting initial credentials" error I see this error</div><div> </div><div>Feb 15 14:39:35 <a href="http://ipa.example.com/" target="_blank"><font color="#0066cc">ipa.example.com</font></a> krb5kdc[1749](info): AS_REQ (12 etypes {18 17 16 23 1 3 2 11 10 15 12 13}) <a href="http://192.168.0.1/" target="_blank"><font color="#0066cc">192.168.0.1</font></a>: NEEDED_PREAUTH: <a href="mailto:user@EXAMPLE.COM" target="_blank"><font color="#0066cc">user@EXAMPLE.COM</font></a> for <a href="mailto:kadmin/changepw@EXAMPLE.COM" target="_blank"><font color="#0066cc">kadmin/changepw@EXAMPLE.COM</font></a>, Additional pre-authentication required</div>

<div> </div><div>Interestingly enough when I try a 5.6 server running ipa-client-2.0.14.el5_7.2 and  xmlrpc-c-client-1.16.24-1206.1840.el5 it works but rolling ipa-client, certmonger, xmlrpc-c and xmlrpc-c-client back to their 5.6 versions on the 5.8 server makes no difference. I guess looking at times it has worked I should be getting a TGS_REQ message in logs immediately after the AS_REQ.</div>

<div> </div><div>Any ideas or anything else I can check?</div><div> </div><div>Thanks</div><div>Charlie</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Feb 13, 2013 at 10:27 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF"><div><div class="h5">
    On 02/13/2013 04:57 PM, Charlie Derwent wrote:
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_extra"><br>
          <br>
        </div>
        <div class="gmail_quote">On Sun, Feb 10, 2013 at 1:48 AM, Rob
          Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">Charlie Derwent wrote:<br>
            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
              <div>
                Hi<br>
                Whenever I attempt an unattended installation with a
                principal and<br>
                password. The installation fails.<br>
                I'm using the following syntax for my command<br>
              </div>
              ipa-client-install --domain=<a href="http://example.com" target="_blank">example.com</a>
              <<a href="http://example.com" target="_blank">http://example.com</a>><br>
              --server=<a href="http://ipa.example.com" target="_blank">ipa.example.com</a>
              <<a href="http://ipa.example.com" target="_blank">http://ipa.example.com</a>>
              --realm=<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a><br>
              <<a href="http://EXAMPLE.COM" target="_blank">http://EXAMPLE.COM</a>>
              --principal=user --password=pass -U<br>
              --ntp-server=123.123.123.123 --mkhomedir --hostname=<a href="http://server1.example.com" target="_blank">server1.example.com</a><br>
              <<a href="http://server1.example.com" target="_blank">http://server1.example.com</a>>
              <div><br>
                The error I get varies between (in order of frequency)<br>
                Joining realm failed: /usr/sbin/ipa-join: symbol lookup
                error:<br>
                /usr/sbin/ipa-join: undefined symbol:
                xmlrpc_server_info_set_user<br>
                and<br>
              </div>
            </blockquote>
            <br>
            This is the sort of thing that if you saw once, you should
            see every time. What version of xmlrpc-c-client is
            installed?
            <div><br>
               </div>
          </blockquote>
          <div>
            <div>I agree I should be seeing it all the time it's very
              odd that I'm not, the package
              is xmlrpc-c-client-1.16.24-1206.1840.4.el5.x86_64.rpm </div>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
            <div>
              <br>
              <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
                kinit(v5): Password incorrect while getting initial
                credentials<br>
                and<br>
                Password expired. you must change it now.<br>
                kinit(v5): Cannot read password while getting initial
                credentials<br>
                The password is 100% right as I can kinit on other
                servers and access<br>
                the webgui with the same details.<br>
                OTP's work flawlessly.<br>
              </blockquote>
              <br>
            </div>
            <p>
              The KDC log might have more information.</p>
          </blockquote>
          <div>I'm not in the office right now so I can't check the logs
            but I assume the KDC log is actually on the IPA server?</div>
        </div>
      </div>
    </blockquote>
    <br></div></div>
    yes<br>
    and the DS access logs too<br>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_quote">
          <div> </div>
          <div class="gmail_extra">
            Thanks</div>
          <div class="gmail_extra">Charlie</div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
            <p> </p>
          </blockquote>
        </div>
        <div class="gmail_extra"><br>
           </div>
      </div><div class="im">
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
    </div></blockquote><div class="im">
    <br>
    <br>
    <pre cols="72">-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>


</pre>
  </div></div>

<br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>