Hi Martin That is great. However you may wish to qualify what "significant" is.
In the case of the original clock-skew problems (between the IPA LDAP Server and sssd clients on other servers), a skew in the order of 5 minutes was enough to prevent us sshing into our servers with an ldap user. You might also want to repeat the hint that if the FreeIPA Server is running in a VM, it must NEVER be a NTPD server for other servers, as VMs are notorious for bad time keeping. Cheers Chris From: Martin Kosek <mko...@redhat.com> To: Christopher Lamb/Switzerland/IBM@IBMCH, email@example.com Date: 28.04.2015 14:13 Subject: Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client. On 04/27/2015 06:09 PM, Christopher Lamb wrote: > > Hi All > > I may have found a possible cause of our instance of the "Your session has > expired" Web UI error on our new FreeIPA 4.1.0 Server > > By chance I checked the date on the server hosting FreeIPA 4.1.0. To my > surprise, despite running ntpd it was 2 hours in the future! > > Some moons ago we suffering from clock-skew problems, and had spent a lot > of time understanding ntp, and setting up an optimal ntp > architecture /config. We were able to completely eliminate clock-skew > across all our servers. > > Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 > NTPD servers with 4 RedHat NTPD servers. > > Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, > and time was correct again. > > Subsequent to this (at least at various points today) I have been able to > successfully log into the Web UI from Firefox and Safari on OSX, and > Firefox on Windows. On both platforms Chrome (not supported) does not work. > > I confess I have not had the time to return to the FreeIPA ntp config to > see if the 2 hour offset + Web UI session problem can be reproduced, so at > the moment this remains a credible, but not proven hypothesis. > > However I guess that 2 hour offset probably comes from the 2 hour > difference between UTC and European Summertime. > > I think it would be great if the changes made by FreeIPA setup to ntp.conf > were optional - we care strongly about the content of that file! > > Cheers > > Chris Good to know. I updated the Troubleshooting page with this tip: https://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI Thanks! Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project