On 04/19/2016 03:35 PM, Mitchell, Stuart wrote:
> Hello,
> We are having issues with the web interface on our free-ipa servers. When we 
> try and login to the GUI is reports that the session has timed out. We have 
> checked the date and time is synced with NTP. We have restarted the IPA 
> services and same issues occur. We have 4 Free-IPA servers all configured as 
> masters, all 4 show the same web gui login issues.  3 of the servers 
> replicate the database from the primary Free-IPA server which connects to the 
> AD domain using winsync. We cannot upgrade to a newer version of Free-IPA and 
> looking at previous mailing list entries version 4 has the same issues crop 
> up. I have followed the steps that were suggested for version 4 and nothing 
> is resolving the login issues to the WebGUI. We can administer the users and 
> hosts from the command line without issues.
> We also are seeing issues on one of the IPA servers that will not sync with 
> the primary master server. When we try to force a sync we get an error 
> "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see 
> expect to see "Update Successful". 
> This appears after multiple  "Update in progress"  messages are shown   ( the 
> command we are using is "ipa-replica-manage re-initialize -from <primary 
> master>" ). When we have the services running on the failing server it stops 
> users being able to login into clients that authenticate from  that failing 
> Free-IPA server. Once we stop the IPA services on the failing server the 
> issues clear up.
> If we use the "ipa user-status <username>" command we can see failed login 
> attempts on the server we cannot re-initialize.
> These servers have been running for at least 6 months without any issues, so 
> network ports between them are all open.
> Regards
> Stuart

"session has timed out." usually means that there is an issue with
authentications. In recent(fedora, upstream) IPA versions the message
was improved so that it distinguishes reasons better.

I would try to login to ipa with a new "private"/"incognito" window of a
browser to try to login without any existing cookies.

If login attempt succeeds then it might indicate a bug which was fixed
upstream recently.

If it doesn't help, then enable debug level on a server
and examine/send sanitized snippet of /var/log/httpd/error_log which is
relevant to the authentication attempt.
Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to