URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes
abbra commented: """ I tested the whole patchset. It worked for me first time I've got cookie expired. However, it broke in ~10 minutes afterwards -- apparently, keyring ccache was empty, according to `klist`. After few more minutes I was able to list TGT from the same ccache and `ipa` CLI worked again. I suspect we created something that MIT Kerberos library does not really understand. ```text [10609] 1490339971.189122: Storing config in KEYRING:persistent:0:krb_ccache_uA6VDOR for ad...@xs.ipa.cool: X-IPA-Session-Cookie: ipa_session=MagBearerToken=NtVuqNjq7jKtuDiw9lDSxHI%2frs5vd4UZ9o1sSZjDAemTImufljlG66i3l6MgA%2fmxtC0kPQgUqUEVcFJ04GWKOzK%2bYeTTEeAXrs59sNUq4VZzmRDTbLW%2by9ccodzlUdoeIiDVKdJsGHlBKyKTtcm1UW0a0LY%2bQLJscOQImQOlNpJ%2bxFs3szGU5w1rFbjQPwp6\x00 [10609] 1490339971.189156: Storing ad...@xs.ipa.cool -> krb5_ccache_conf_data/X-IPA-Session-Cookie/admin\@XS.IPA.COOL@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_uA6VDOR ``` ... some time later, in a different execution of ipa user-show ... ```text ipa: DEBUG: New HTTP connection (nyx.xs.ipa.cool) ipa: DEBUG: HTTP connection destroyed (nyx.xs.ipa.cool) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 676, in single_request self.get_auth_info() File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 628, in get_auth_info self._handle_exception(e, service=service) File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 585, in _handle_exception raise errors.CCacheError() CCacheError: did not receive Kerberos credentials ipa: DEBUG: Destroyed connection context.rpcclient_140537682029648 ipa: ERROR: did not receive Kerberos credentials [root@nyx ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_uA6VDOR Default principal: ad...@xs.ipa.cool Valid starting Expires Service principal klist: No credentials cache found while retrieving a ticket ``` .... some time afterwards, without running kinit .... ```text [root@nyx ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_uA6VDOR Default principal: ad...@xs.ipa.cool Valid starting Expires Service principal 03/24/2017 08:07:02 03/25/2017 08:06:56 krbtgt/xs.ipa.c...@xs.ipa.cool ``` .... and running ipa user-show now succeeds in retrieving old cookie, invalidating it, negotiating a new one, and storing it .... ```text [10747] 1490340689.131026: Storing config in KEYRING:persistent:0:krb_ccache_uA6VDOR for ad...@xs.ipa.cool: X-IPA-Session-Cookie: ipa_session=MagBearerToken=J9aCtYUAsRFpJJhrMu4x4E2gwA2ojJOPdYT7iN7GtTyec7%2fj9lW1LyzgpLhjawaCa9MsK%2btOPDF6mKTsCSJqey3vhgY35ezg8Cwzbln6yGr0kPfDCWoxSQGYWx%2fSSIRVltu8akoXu1NvzP1%2bF0NEFrdzGi2%2bZDZXRFvUC5UpLg%2b3JMg5ZNExYlr%2bLHHQpAJh\x00 [10747] 1490340689.131071: Storing ad...@xs.ipa.cool -> krb5_ccache_conf_data/X-IPA-Session-Cookie/admin\@XS.IPA.COOL@X-CACHECONF: in KEYRING:persistent:0:krb_ccache_uA6VDOR ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288954010
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code