On 04/19/2016 03:35 PM, Mitchell, Stuart wrote:
> We are having issues with the web interface on our free-ipa servers. When we
> try and login to the GUI is reports that the session has timed out. We have
> checked the date and time is synced with NTP. We have restarted the IPA
> services and same issues occur. We have 4 Free-IPA servers all configured as
> masters, all 4 show the same web gui login issues. 3 of the servers
> replicate the database from the primary Free-IPA server which connects to the
> AD domain using winsync. We cannot upgrade to a newer version of Free-IPA and
> looking at previous mailing list entries version 4 has the same issues crop
> up. I have followed the steps that were suggested for version 4 and nothing
> is resolving the login issues to the WebGUI. We can administer the users and
> hosts from the command line without issues.
> We also are seeing issues on one of the IPA servers that will not sync with
> the primary master server. When we try to force a sync we get an error
> "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see
> expect to see "Update Successful".
> This appears after multiple "Update in progress" messages are shown ( the
> command we are using is "ipa-replica-manage re-initialize -from <primary
> master>" ). When we have the services running on the failing server it stops
> users being able to login into clients that authenticate from that failing
> Free-IPA server. Once we stop the IPA services on the failing server the
> issues clear up.
> If we use the "ipa user-status <username>" command we can see failed login
> attempts on the server we cannot re-initialize.
> These servers have been running for at least 6 months without any issues, so
> network ports between them are all open.
"session has timed out." usually means that there is an issue with
authentications. In recent(fedora, upstream) IPA versions the message
was improved so that it distinguishes reasons better.
I would try to login to ipa with a new "private"/"incognito" window of a
browser to try to login without any existing cookies.
If login attempt succeeds then it might indicate a bug which was fixed
If it doesn't help, then enable debug level on a server
and examine/send sanitized snippet of /var/log/httpd/error_log which is
relevant to the authentication attempt.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project