Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

Thu, 30 Apr 2015 03:57:08 -0700 

On 04/25/2015 02:58 AM, Christopher Lamb wrote:


Hi All

I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on  remote client(s),
similar to the existing tickets:

https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html

We have 2 FreeIPA installations:
An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
The “new” instance, v4.1.0, on a fresh install of OEL 7.0

The error occurs on both instances.

I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
etc)
Very sporadically one of the above browsers will “let me in” - If I cycle
through all the browsers on various workstations / laptops on my desk
somtimes I get lucky and one will work.

kinit in a ssh session works.

SELinux is disabled.

All IPA Services are running.

I can find no error(s) in /var/log/httpd/error_log

In /var/log/krb5kdc.log I get entries like:
Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
{rep=18 tkt=18 ses=18}, [email protected] for
HTTP/[email protected]
Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
fd 12

If I enter a wrong password, I correctly get “The password or username you
entered is incorrect. “, +  errors in /var/log/httpd/error_log

None of the browsers have a krb5 ticket installed.

I get the error with both my user, and the default admin user.


From the same browsers I can successfully access the Web UI of the public

demo on https://ipa.demo1.freeipa.org/ipa/ui/



Do the machines with browsers have synchronized time with IPA servers?


If a client machine with browser is 20min+ in a future compared to IPA 
server, the browser will treat ipa_session cookie as expired because its 
validity is auth_time + 20 min.



Could you enable server debug logging [1] and send me entries from 
httpd/error_log and krb5kdc.log which were added upon Web UI forms-based 
auth with correct username and password?



[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug

--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





















					Reply via email to