On Mon, 2022-02-07 at 11:41 +0200, Alexander Bokovoy wrote: > > I think timer should be enabled during package upgrades.
Only upgrades? So on a machine's first installation of ipa-server, the timer is not enabled? Is that the desired behaviour? Doesn't seem like it should be. > You could have just re-run > > systemd-tmpfiles --create /usr/lib/tmpfiles.d/ipa.conf Indeed. > This should have been run on a server restart as well. Yes it should, and I will be paying close attention at next reboot to ensure that it does. > This (Failed to unseal session data) means there is wrong key used by > mod_auth_gssapi to encrypt the original session and to decrypt it > now. Where is this encrypted session stored? > I > can only assume you have been restarting server or its components and > /etc/httpd/alias/ipasession.key got regenerated? Actually not really. On the non-webUI-functioning server: # ls -l /etc/httpd/alias/ipasession.key -rw-------. 1 root root 32 Jan 31 18:28 /etc/httpd/alias/ipasession.key # uptime 07:08:31 up 1 day, 21:04, 2 users, load average: 0.12, 0.26, 0.31 So clearly that didn't get regenerated on the last reboot. Indeed, it looks like it has not been regenerated since the replica was created: # ls -l /var/log/ipareplica-install.log -rw-------. 1 root root 5786278 Jan 31 18:36 /var/log/ipareplica-install.log Same situation on my working replica: # ls -l /etc/httpd/alias/ipasession.key -rw-------. 1 root root 32 Jan 17 14:30 /etc/httpd/alias/ipasession.key # uptime 07:02:12 up 13 days, 21:31, 4 users, load average: 0.17, 0.24, 0.16 # ls -l /var/log/ipareplica-install.log -rw-------. 1 root root 5736458 Jan 17 14:36 /var/log/ipareplica- install.log So indeed, this key has not been changed since the replica was originally created. > When doing tests with reboot/removal, it is best to clear cookies on > the > client side as well. Meaning cookies on the browser? > on reboot gssproxy session key is regenerated, But clearly given the above, on both my working and non-working replicas, this is not actually the case. > so all files from > /run/ipa/ccaches should be invalid. Right. > But since /run/ipa/ccaches is tmpfs, > they'll be removed automatically. Indeed. Cheers, b.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
