Hi Martin

That is great. However you may wish to qualify what "significant" is.

In the case of the original clock-skew problems (between the IPA LDAP
Server and sssd clients on other servers), a skew in the order of 5 minutes
was enough to prevent us sshing into our servers with an ldap user.

You might also want to repeat the hint that if the FreeIPA Server is
running in a VM, it must NEVER be a NTPD server for other servers, as VMs
are notorious for bad time keeping.

Cheers

Chris



From:   Martin Kosek <mko...@redhat.com>
To:     Christopher Lamb/Switzerland/IBM@IBMCH,
            freeipa-users@redhat.com
Date:   28.04.2015 14:13
Subject:        Re: [Freeipa-users] Fw:  Web ui error “Your session has
            expired. Please re-login.” from a browser on a remote client.



On 04/27/2015 06:09 PM, Christopher Lamb wrote:
>
> Hi All
>
> I may have found a possible cause of our instance of the  "Your session
has
> expired" Web UI error on our new FreeIPA 4.1.0 Server
>
> By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
> surprise, despite running ntpd it was 2 hours in the future!
>
> Some moons ago we suffering from clock-skew problems, and had spent a lot
> of time understanding ntp, and setting up an optimal ntp
> architecture /config. We were able to completely eliminate clock-skew
> across all our servers.
>
> Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
> NTPD servers with 4 RedHat NTPD servers.
>
> Therefore I returned the /etc/ntp.conf file to our default, restarted
ntpd,
> and time was correct again.
>
> Subsequent to this (at least at various points today) I have been able to
> successfully log into the Web UI from Firefox and Safari on OSX, and
> Firefox on Windows. On both platforms Chrome (not supported) does not
work.
>
> I confess I have not had the time to return to the FreeIPA ntp config to
> see if the 2 hour offset + Web UI session problem can be reproduced, so
at
> the moment this remains a credible, but not proven hypothesis.
>
> However I guess that  2 hour offset probably comes from the 2 hour
> difference between UTC and European Summertime.
>
> I think it would be great if the changes made by FreeIPA setup to
ntp.conf
> were optional - we care strongly about the content of that file!
>
> Cheers
>
> Chris

Good to know. I updated the Troubleshooting page with this tip:
https://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI

Thanks!
Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to