[Freeipa-users] sessions failing when using different hostname

Wed Jun 8 07:29:09 UTC 2016

On 06/01/2016 07:48 PM, Anthony Clark wrote:
> Hello All,
> 
> I've been asked to allow access to our FreeIPA web UI from a more user friendly 
> url than I'm currently using.  So I've set up a CNAME password.example.com 
> <http://password.example.com> for ns01.example.com <http://ns01.example.com>
> 
> At the moment, if I go to the real hostname of the FreeIPA server 
> (ns01.example.com <http://ns01.example.com>), everything works.
> 
> If I go to the new "friendly" url (password.example.com 
> <http://password.example.com>) then upon login I get a "your session has expired 
> please re-login" message.
> 
> Setting debug to true in /etc/ipa/server.conf shows me that the server keeps 
> using new session IDs.  (Host and user names changed to protect the innocent)
> 
> ----- /var/log/httpd/error_log -----
> [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI 
> wsgi_dispatch.__call__:
> [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI 
> jsonserver_session.__call__:
> [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no session 
> cookie found
> [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no session id 
> in request, generating empty session data with id=d5bc1c4cab8d3bfaee63b84805147995
> [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store 
> session: session_id=d5bc1c4cab8d3bfaee63b84805147995 
> start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: 
> jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 
> start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, 
> need login
> [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: 
> jsonserver_session: 401 Unauthorized need login
> [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI 
> wsgi_dispatch.__call__:
> [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI 
> login_password.__call__:
> [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: Obtaining 
> armor ccache: principal=HTTP/ns01.example.com at EXAMPLE.COM 
> <mailto:ns01.example.com at EXAMPLE.COM> keytab=/etc/httpd/conf/ipa.keytab 
> ccache=/var/run/ipa_memcached/krbcc_A_aclark
> [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: Initializing 
> principal HTTP/ns01.example.com at EXAMPLE.COM 
> <mailto:ns01.example.com at EXAMPLE.COM> using keytab /etc/httpd/conf/ipa.keytab
> [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using ccache 
> /var/run/ipa_memcached/krbcc_A_aclark
> [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt 1/1: 
> success
> [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: Initializing 
> principal aclark at EXAMPLE.COM <mailto:aclark at EXAMPLE.COM> using password
> [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using armor 
> ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth
> [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting 
> external process
> [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: 
> args='/usr/bin/kinit' 'aclark at EXAMPLE.COM <mailto:aclark at EXAMPLE.COM>' '-c' 
> 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' 
> '/var/run/ipa_memcached/krbcc_A_aclark'
> [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process 
> finished, return code=0
> [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG: 
> stdout=Password for aclark at EXAMPLE.COM <mailto:aclark at EXAMPLE.COM>:
> [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492]
> [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
> [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup the 
> armor ccache
> [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting 
> external process
> [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG: 
> args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark'
> [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process 
> finished, return code=0
> [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout=
> [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
> [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no session 
> cookie found
> [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no session id 
> in request, generating empty session data with id=7ab08ba17d30883cff480af9e923cf82
> [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store 
> session: session_id=7ab08ba17d30883cff480af9e923cf82 
> start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG: 
> finalize_kerberos_acquisition: login_password 
> ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492" 
> session_id="7ab08ba17d30883cff480af9e923cf82"
> [Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: reading 
> ccache data from file "/var/run/ipa_memcached/krbcc_31492"
> [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG: 
> get_credential_times: principal=krbtgt/EXAMPLE.COM at EXAMPLE.COM 
> <mailto:EXAMPLE.COM at EXAMPLE.COM>, authtime=06/01/16 17:11:26, starttime=06/01/16 
> 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00
> [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG: KRB5_CCache 
> FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16 17:11:26)
> [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG: 
> set_session_expiration_time: duration_type=inactivity_timeout duration=3600 
> max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26)
> [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store 
> session: session_id=7ab08ba17d30883cff480af9e923cf82 
> start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 
> expiration_timestamp=2016-06-01T18:11:26
> [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR: 
> release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_31492) != 
> KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache)
> [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI 
> wsgi_dispatch.__call__:
> [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI 
> jsonserver_session.__call__:
> [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no session 
> cookie found
> [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no session id 
> in request, generating empty session data with id=433125db49c7ca9eb286c3ecf605d55d
> [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store 
> session: session_id=433125db49c7ca9eb286c3ecf605d55d 
> start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG: 
> jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d 
> start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, 
> need login
> [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG: 
> jsonserver_session: 401 Unauthorized need login
> ----- /var/log/httpd/error_log -----
> 
> I'm somewhat at a loss to debug this further.  I was wondering if the session 
> storage is somehow bound to the original host name.  Is there a way to check 
> and/or configure this?
> 
> Alternatively is there a guide out there for enabling additional host names for 
> the web UI in FreeIPA?

Good question. I see there was no reply for this thread (note that most of the
developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise.

Martin