Hi Petr

Thanks, we solved this issue and reported that back on this thread. The
troubleshooting guide has even been updated as a result.

https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html

Your suggestion has however hit the nail on the head - the problem was
clock skew between the Server hosting freeIPA and the workstations.

Ironically, before installing freeIPA server we had no clock skew -clients
and workstation clocks were with seconds. Post freeIPA install, the server
was suddenly 2 hours in the future.

This seems to be because freeIPA had replaced the ntpd server entries in
the ntp.conf file. After reverting to our standard ntp.conf for a vm and
restarting ntpd the clock-skew vanished, as did the "Your session has been
expired" error on the the Web UI.

The 2 hours time difference was probably a result of the difference between
UTC and European Summer Time. It will likely be familiar to anybody who has
configured FIX interfaces in Europe.

Chris

b.t.w, the above applies to our new 4.1.0 installation. We get the same
"session has expired" error  from our 3.0.0 freeIPA installation that we
will decommission shortly. On that machine the cause is not clock-skew.





From:   Petr Vobornik <pvobo...@redhat.com>
To:     Christopher Lamb/Switzerland/IBM@IBMCH,
            freeipa-users@redhat.com
Date:   30.04.2015 12:52
Subject:        Re: [Freeipa-users] Web ui error “Your session has expired.
            Please re-login.” from a browser on a remote client.



On 04/25/2015 02:58 AM, Christopher Lamb wrote:
>
> Hi All
>
> I too am suffering from the infamous Web ui error “Your session has
> expired. Please re-login.” using from browser(s) on  remote client(s),
> similar to the existing tickets:
>
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
> https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
>
> We have 2 FreeIPA installations:
> An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
> The “new” instance, v4.1.0, on a fresh install of OEL 7.0
>
> The error occurs on both instances.
>
> I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
> etc)
> Very sporadically one of the above browsers will “let me in” - If I cycle
> through all the browsers on various workstations / laptops on my desk
> somtimes I get lucky and one will work.
>
> kinit in a ssh session works.
>
> SELinux is disabled.
>
> All IPA Services are running.
>
> I can find no error(s) in /var/log/httpd/error_log
>
> In /var/log/krb5kdc.log I get entries like:
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
> etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064,
etypes
> {rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
> HTTP/bsc-ldap2.xxx-xx.xx.xxx....@xxx-xx.xx.xxx.com
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
> fd 12
>
> If I enter a wrong password, I correctly get “The password or username
you
> entered is incorrect. “, +  errors in /var/log/httpd/error_log
>
> None of the browsers have a krb5 ticket installed.
>
> I get the error with both my user, and the default admin user.
>
>>From the same browsers I can successfully access the Web UI of the public
> demo on https://ipa.demo1.freeipa.org/ipa/ui/
>

Do the machines with browsers have synchronized time with IPA servers?

If a client machine with browser is 20min+ in a future compared to IPA
server, the browser will treat ipa_session cookie as expired because its
validity is auth_time + 20 min.

Could you enable server debug logging [1] and send me entries from
httpd/error_log and krb5kdc.log which were added upon Web UI forms-based
auth with correct username and password?

[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug

--
Petr Vobornik



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to