[Freeipa-users] sessions failing when using different hostname
Anthony Clark
anthonyclarka2 at gmail.com
Wed Jun 1 17:48:34 UTC 2016
Hello All,
I've been asked to allow access to our FreeIPA web UI from a more user
friendly url than I'm currently using. So I've set up a CNAME
password.example.com for ns01.example.com
At the moment, if I go to the real hostname of the FreeIPA server (
ns01.example.com), everything works.
If I go to the new "friendly" url (password.example.com) then upon login I
get a "your session has expired please re-login" message.
Setting debug to true in /etc/ipa/server.conf shows me that the server
keeps using new session IDs. (Host and user names changed to protect the
innocent)
----- /var/log/httpd/error_log -----
[Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no
session cookie found
[Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no
session id in request, generating empty session data with
id=d5bc1c4cab8d3bfaee63b84805147995
[Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store
session: session_id=d5bc1c4cab8d3bfaee63b84805147995
start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG:
jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995
start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no
ccache, need login
[Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG:
jsonserver_session: 401 Unauthorized need login
[Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
login_password.__call__:
[Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG:
Obtaining armor ccache: principal=HTTP/ns01.example.com at EXAMPLE.COM
keytab=/etc/httpd/conf/ipa.keytab
ccache=/var/run/ipa_memcached/krbcc_A_aclark
[Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG:
Initializing principal HTTP/ns01.example.com at EXAMPLE.COM using keytab
/etc/httpd/conf/ipa.keytab
[Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using
ccache /var/run/ipa_memcached/krbcc_A_aclark
[Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt
1/1: success
[Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG:
Initializing principal aclark at EXAMPLE.COM using password
[Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using
armor ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth
[Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting
external process
[Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG:
args='/usr/bin/kinit' 'aclark at EXAMPLE.COM' '-c'
'FILE:/var/run/ipa_memcached/krbcc_31492' '-T'
'/var/run/ipa_memcached/krbcc_A_aclark'
[Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process
finished, return code=0
[Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG:
stdout=Password for aclark at EXAMPLE.COM:
[Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492]
[Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
[Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup
the armor ccache
[Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting
external process
[Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG:
args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark'
[Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process
finished, return code=0
[Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout=
[Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
[Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no
session cookie found
[Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no
session id in request, generating empty session data with
id=7ab08ba17d30883cff480af9e923cf82
[Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store
session: session_id=7ab08ba17d30883cff480af9e923cf82
start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG:
finalize_kerberos_acquisition: login_password
ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492"
session_id="7ab08ba17d30883cff480af9e923cf82"
[Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: reading
ccache data from file "/var/run/ipa_memcached/krbcc_31492"
[Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG:
get_credential_times: principal=krbtgt/EXAMPLE.COM at EXAMPLE.COM,
authtime=06/01/16 17:11:26, starttime=06/01/16 17:11:26, endtime=06/02/16
17:11:26, renew_till=01/01/70 00:00:00
[Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG:
KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486
(06/02/16 17:11:26)
[Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG:
set_session_expiration_time: duration_type=inactivity_timeout duration=3600
max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26)
[Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store
session: session_id=7ab08ba17d30883cff480af9e923cf82
start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
expiration_timestamp=2016-06-01T18:11:26
[Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR:
release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_31492)
!= KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache)
[Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no
session cookie found
[Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no
session id in request, generating empty session data with
id=433125db49c7ca9eb286c3ecf605d55d
[Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store
session: session_id=433125db49c7ca9eb286c3ecf605d55d
start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG:
jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d
start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
expiration_timestamp=1970-01-01T00:00:00
[Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no
ccache, need login
[Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG:
jsonserver_session: 401 Unauthorized need login
----- /var/log/httpd/error_log -----
I'm somewhat at a loss to debug this further. I was wondering if the
session storage is somehow bound to the original host name. Is there a way
to check and/or configure this?
Alternatively is there a guide out there for enabling additional host names
for the web UI in FreeIPA?
Thanks,
Anthony Clark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160601/ce5f2c30/attachment.htm>
More information about the Freeipa-users
mailing list