[Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

Martin Basti mbasti at redhat.com
Mon Apr 27 16:23:47 UTC 2015 

Hello, comments inline

Martin

On 27/04/15 18:09, Christopher Lamb wrote:
> Hi All
>
> I may have found a possible cause of our instance of the  "Your session has
> expired" Web UI error on our new FreeIPA 4.1.0 Server
>
> By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
> surprise, despite running ntpd it was 2 hours in the future!
Yes, time is important for successful kerberos login.
>
> Some moons ago we suffering from clock-skew problems, and had spent a lot
> of time understanding ntp, and setting up an optimal ntp
> architecture /config. We were able to completely eliminate clock-skew
> across all our servers.
>
> Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
> NTPD servers with 4 RedHat NTPD servers.
We plan fix this in new version
>
> Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd,
> and time was correct again.
>
> Subsequent to this (at least at various points today) I have been able to
> successfully log into the Web UI from Firefox and Safari on OSX, and
> Firefox on Windows. On both platforms Chrome (not supported) does not work.
>
> I confess I have not had the time to return to the FreeIPA ntp config to
> see if the 2 hour offset + Web UI session problem can be reproduced, so at
> the moment this remains a credible, but not proven hypothesis.
>
> However I guess that  2 hour offset probably comes from the 2 hour
> difference between UTC and European Summertime.
>
> I think it would be great if the changes made by FreeIPA setup to ntp.conf
> were optional - we care strongly about the content of that file!

ipa-server-install

-N, --no-ntp        do not configure ntp
>
> Cheers
>
> Chris
>
>
> ----- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36
> -----
>
> From:	Christopher Lamb/Switzerland/IBM at IBMCH
> To:	freeipa-users at redhat.com
> Date:	26.04.2015 01:29
> Subject:	[Freeipa-users] Web ui error “Your session has expired. Please
>              re-login.” from a browser on a remote client.
> Sent by:	freeipa-users-bounces at redhat.com
>
>
>
>
> Hi All
>
> I too am suffering from the infamous Web ui error “Your session has
> expired. Please re-login.” using from browser(s) on  remote client(s),
> similar to the existing tickets:
>
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
> https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
>
> We have 2 FreeIPA installations:
> An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
> The “new” instance, v4.1.0, on a fresh install of OEL 7.0
>
> The error occurs on both instances.
>
> I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
> etc)
> Very sporadically one of the above browsers will “let me in” - If I cycle
> through all the browsers on various workstations / laptops on my desk
> somtimes I get lucky and one will work.
>
> kinit in a ssh session works.
>
> SELinux is disabled.
>
> All IPA Services are running.
>
> I can find no error(s) in /var/log/httpd/error_log
>
> In /var/log/krb5kdc.log I get entries like:
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
> etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
> {rep=18 tkt=18 ses=18}, yyy at XXX-XX.XX.XX.COM for
> HTTP/bsc-ldap2.xxx-xx.xx.xxx.com at XXX-XX.XX.XXX.COM
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
> fd 12
>
> If I enter a wrong password, I correctly get “The password or username you
> entered is incorrect. “, +  errors in /var/log/httpd/error_log
>
> None of the browsers have a krb5 ticket installed.
>
> I get the error with both my user, and the default admin user.
>
> >From the same browsers I can successfully access the Web UI of the public
> demo on https://ipa.demo1.freeipa.org/ipa/ui/
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>


-- 
Martin Basti

More information about the Freeipa-users mailing list