[Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP Sync issues
Mitchell, Stuart
mitchell at hpe.com
Tue Apr 19 14:56:21 UTC 2016
> -----Original Message-----
> From: Petr Vobornik [mailto:pvoborni at redhat.com]
> Sent: 19 April 2016 15:26
> To: Mitchell, Stuart <mitchell at hpe.com>; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP
> Sync issues
>
> On 04/19/2016 03:35 PM, Mitchell, Stuart wrote:
> > Hello,
> >
> > We are having issues with the web interface on our free-ipa servers. When
> we try and login to the GUI is reports that the session has timed out. We
> have checked the date and time is synced with NTP. We have restarted the
> IPA services and same issues occur. We have 4 Free-IPA servers all
> configured as masters, all 4 show the same web gui login issues. 3 of the
> servers replicate the database from the primary Free-IPA server which
> connects to the AD domain using winsync. We cannot upgrade to a newer
> version of Free-IPA and looking at previous mailing list entries version 4 has
> the same issues crop up. I have followed the steps that were suggested for
> version 4 and nothing is resolving the login issues to the WebGUI. We can
> administer the users and hosts from the command line without issues.
> >
> > We also are seeing issues on one of the IPA servers that will not sync with
> the primary master server. When we try to force a sync we get an error
> "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see
> expect to see "Update Successful".
> > This appears after multiple "Update in progress" messages are shown (
> the command we are using is "ipa-replica-manage re-initialize -from <primary
> master>" ). When we have the services running on the failing server it stops
> users being able to login into clients that authenticate from that failing Free-
> IPA server. Once we stop the IPA services on the failing server the issues
> clear up.
> > If we use the "ipa user-status <username>" command we can see failed
> login attempts on the server we cannot re-initialize.
> >
> > These servers have been running for at least 6 months without any issues,
> so network ports between them are all open.
> >
> >
> > Regards
> >
> > Stuart
> >
>
> "session has timed out." usually means that there is an issue with
> authentications. In recent(fedora, upstream) IPA versions the message was
> improved so that it distinguishes reasons better.
>
> I would try to login to ipa with a new "private"/"incognito" window of a
> browser to try to login without any existing cookies.
>
> If login attempt succeeds then it might indicate a bug which was fixed
> upstream recently.
>
> If it doesn't help, then enable debug level on a server
> https://www.freeipa.org/page/Troubleshooting#Administration_Framewor
> k
> and examine/send sanitized snippet of /var/log/httpd/error_log which is
> relevant to the authentication attempt.
> --
> Petr Vobornik
Thanks Petr,
Going incognito has resolved the session errors with logging into the webgui.
Regards
Stuart
More information about the Freeipa-users
mailing list