On Thu, Mar 5, 2015 at 5:17 PM, Dan Mossor <[email protected]> wrote:
> > > On Thu, Mar 5, 2015 at 4:55 PM, Dmitri Pal <[email protected]> wrote: > >> On 03/05/2015 05:51 PM, Dan Mossor wrote: >> >> As an additional test, I created a new user on my workstation and >> switched to it. the first thing I did was kinit as admin, then started >> Firefox, went through the browser configuration provided by the IPA server, >> and attempted to log in. I received the same error[1]. >> >> [1]http://i.imgur.com/mhX86Ng.png >> >> >> Have you checked times and time zones on the client and on the server? >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> The server is set for GMT time, whereas the client is set for local time, > US Central Standard Time. Except for that difference, they are within 1 > second of each other. > > Dan > As an experiment after this email exchange, I switched the server to Central Standard Time using timedatctl. I then ran kinit again, and attempted to log into the GUI. There was no change - I still cannot access the GUI. Here is the krb5kdc.log from the period: Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: host/[email protected] for krbtgt/[email protected], Additional pre-authentication required Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for krbtgt/[email protected] Mar 06 00:28:54 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601734, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for ldap/[email protected] Mar 05 18:29:20 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Mar 05 18:29:25 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected] Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): DISPATCH: repeated (retransmitted?) request from 10.1.1.15, resending previous response Mar 05 18:29:26 vader.rez.lcl krb5kdc[1073](info): closing down fd 12 Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: HTTP/[email protected] for krbtgt/[email protected], Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, HTTP/[email protected] for krbtgt/[email protected] Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.0.1: ISSUE: authtime 1425601784, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected] Mar 05 18:29:44 vader.rez.lcl krb5kdc[1073](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.1.1.15: ISSUE: authtime 1425601765, etypes {rep=18 tkt=18 ses=18}, [email protected] for HTTP/[email protected] One thing I did determine is the authtime in the krb5kdc log is epoch time. I checked it, and it translates directly to the standard time. Dan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
