Hi,
I'm trying to build a cluster of 3 IPA (staging at this point, but
eventually later I'll make a prod version)
systems (that will reside in AWS) that will manage select systems in our
infrastructure (mostly but not entirely in AWS).
The systems will be fronted (like most of our infrastructure) with a
load-balancer that manages pooling and SSL termination; we'd like
freeipa-staging.corp.$ORGNAME.com to be the access point, and the LB will
then route that to a specific one of the three servers based on pool
settings).

The systems are running CentOS7 and have the RPM-bundled version of FreeIPA
(4.1.0). Our three IPA servers are named
freeipa-staging-[123].vpc3.$INTERNALNAME.cc - the servers that will be
managed by this will have a variety of names and locations (and
$INTERNALNAME differs from $ORGNAME but both are valid DNSnames)

After running ipa-server-install on the first box (no integrated DNS
enabled, realmname is IPA-STAGING.$ORGNAME.ORG), I modified the
ipa-rewrite.conf to trim it down to this:
RewriteEngine on
RewriteRule ^/$ /ipa/ui [L,NC,R=301]
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$    /ipa/wsgi/plugins.py [PT]


After the stack starts, I can kinit and run commands. Everything looks
good. The WebUI isn't working for me though - when I enter admin and the
password, I get "Your session has expired. Please re-login". By contrast,
when I give the wrong password, it tells me it's wrong.

After enabling debugging in ipa.conf, this is what I get from the httpd
error log:

[Wed Oct 07 17:29:50.370982 2015] [:error] [pid 3000] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Oct 07 17:29:50.371088 2015] [:error] [pid 3000] ipa: DEBUG: WSGI
login_password.__call__:
[Wed Oct 07 17:29:50.371438 2015] [:error] [pid 3000] ipa: DEBUG: Obtaining
armor ccache: principal=HTTP/
freeipa-staging-1.vpc3.internalname...@ipa-staging.orgname.org
keytab=/etc/httpd/conf/ipa.keytab
ccache=/var/run/ipa_memcached/krbcc_A_admin
[Wed Oct 07 17:29:50.371534 2015] [:error] [pid 3000] ipa: DEBUG: Starting
external process
[Wed Oct 07 17:29:50.371596 2015] [:error] [pid 3000] ipa: DEBUG:
args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/
freeipa-staging-1.vpc3.internalname...@ipa-staging.orgname.org'
[Wed Oct 07 17:29:50.415134 2015] [:error] [pid 3000] ipa: DEBUG: Process
finished, return code=0
[Wed Oct 07 17:29:50.415223 2015] [:error] [pid 3000] ipa: DEBUG: stdout=
[Wed Oct 07 17:29:50.415276 2015] [:error] [pid 3000] ipa: DEBUG: stderr=
[Wed Oct 07 17:29:50.415395 2015] [:error] [pid 3000] ipa: DEBUG: Starting
external process
[Wed Oct 07 17:29:50.415458 2015] [:error] [pid 3000] ipa: DEBUG:
args='/usr/bin/kinit' 'ad...@ipa-staging.orgname.org' '-T'
'/var/run/ipa_memcached/krbcc_A_admin'
[Wed Oct 07 17:29:50.486981 2015] [:error] [pid 3000] ipa: DEBUG: Process
finished, return code=0
[Wed Oct 07 17:29:50.487072 2015] [:error] [pid 3000] ipa: DEBUG:
stdout=Password for ad...@ipa-staging.orgname.org:
[Wed Oct 07 17:29:50.487079 2015] [:error] [pid 3000]
[Wed Oct 07 17:29:50.487129 2015] [:error] [pid 3000] ipa: DEBUG: stderr=
[Wed Oct 07 17:29:50.487228 2015] [:error] [pid 3000] ipa: DEBUG: kinit:
principal=ad...@ipa-staging.orgname.org returncode=0, stderr=""
[Wed Oct 07 17:29:50.487281 2015] [:error] [pid 3000] ipa: DEBUG: Cleanup
the armor ccache
[Wed Oct 07 17:29:50.487356 2015] [:error] [pid 3000] ipa: DEBUG: Starting
external process
[Wed Oct 07 17:29:50.487406 2015] [:error] [pid 3000] ipa: DEBUG:
args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin'
[Wed Oct 07 17:29:50.500419 2015] [:error] [pid 3000] ipa: DEBUG: Process
finished, return code=0
[Wed Oct 07 17:29:50.500496 2015] [:error] [pid 3000] ipa: DEBUG: stdout=
[Wed Oct 07 17:29:50.500547 2015] [:error] [pid 3000] ipa: DEBUG: stderr=
[Wed Oct 07 17:29:50.501180 2015] [:error] [pid 3000] ipa: DEBUG: no
session cookie found
[Wed Oct 07 17:29:50.501501 2015] [:error] [pid 3000] ipa: DEBUG: no
session id in request, generating empty session data with
id=738fef28e7a985fe8f01e0fc2a1c8e7d
[Wed Oct 07 17:29:50.501607 2015] [:error] [pid 3000] ipa: DEBUG: store
session: session_id=738fef28e7a985fe8f01e0fc2a1c8e7d
start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
expiration_timestamp=1970-01-01T00:00:00
[Wed Oct 07 17:29:50.501908 2015] [:error] [pid 3000] ipa: DEBUG:
finalize_kerberos_acquisition: login_password
ccache_name="FILE:/var/run/ipa_memcached/krbcc_3000"
session_id="738fef28e7a985fe8f01e0fc2a1c8e7d"
[Wed Oct 07 17:29:50.501978 2015] [:error] [pid 3000] ipa: DEBUG: reading
ccache data from file "/var/run/ipa_memcached/krbcc_3000"
[Wed Oct 07 17:29:50.502358 2015] [:error] [pid 3000] ipa: DEBUG:
get_credential_times: principal=krbtgt/
ipa-staging.orgname....@ipa-staging.orgname.org, authtime=10/07/15
17:29:50, starttime=10/07/15 17:29:50, endtime=10/08/15 17:29:50,
renew_till=01/01/70 00:00:00
[Wed Oct 07 17:29:50.502436 2015] [:error] [pid 3000] ipa: DEBUG:
KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_3000 endtime=1444325390
(10/08/15 17:29:50)
[Wed Oct 07 17:29:50.502532 2015] [:error] [pid 3000] ipa: DEBUG:
set_session_expiration_time: duration_type=inactivity_timeout duration=1200
max_age=1444325090 expiration=1444240190.5 (2015-10-07T17:49:50)
[Wed Oct 07 17:29:50.502609 2015] [:error] [pid 3000] ipa: DEBUG: store
session: session_id=738fef28e7a985fe8f01e0fc2a1c8e7d
start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
expiration_timestamp=2015-10-07T17:49:50
[Wed Oct 07 17:29:50.502971 2015] [:error] [pid 3000] ipa: DEBUG:
release_ipa_ccache: KRB5CCNAME environment variable not set
[Wed Oct 07 17:29:50.612016 2015] [:error] [pid 3001] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Wed Oct 07 17:29:50.612125 2015] [:error] [pid 3001] ipa: DEBUG: WSGI
jsonserver_session.__call__:
[Wed Oct 07 17:29:50.612684 2015] [:error] [pid 3001] ipa: DEBUG: no
session cookie found
[Wed Oct 07 17:29:50.613018 2015] [:error] [pid 3001] ipa: DEBUG: no
session id in request, generating empty session data with
id=f723f440100b47e72675fa0e3cd9e87f
[Wed Oct 07 17:29:50.613118 2015] [:error] [pid 3001] ipa: DEBUG: store
session: session_id=f723f440100b47e72675fa0e3cd9e87f
start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
expiration_timestamp=1970-01-01T00:00:00
[Wed Oct 07 17:29:50.613387 2015] [:error] [pid 3001] ipa: DEBUG:
jsonserver_session.__call__: session_id=f723f440100b47e72675fa0e3cd9e87f
start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
expiration_timestamp=1970-01-01T00:00:00
[Wed Oct 07 17:29:50.613441 2015] [:error] [pid 3001] ipa: DEBUG: no
ccache, need login
[Wed Oct 07 17:29:50.613492 2015] [:error] [pid 3001] ipa: DEBUG:
jsonserver_session: 401 Unauthorized need login

Any ideas? The webUI will normally need to be used by people on systems
that are not managed by FreeIPA (this is meant to manage our server
infrastructure, not our workstations), but as far as I can tell
username/password auth should work?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to