On 04/19/2016 03:35 PM, Mitchell, Stuart wrote: > Hello, > > We are having issues with the web interface on our free-ipa servers. When we > try and login to the GUI is reports that the session has timed out. We have > checked the date and time is synced with NTP. We have restarted the IPA > services and same issues occur. We have 4 Free-IPA servers all configured as > masters, all 4 show the same web gui login issues. 3 of the servers > replicate the database from the primary Free-IPA server which connects to the > AD domain using winsync. We cannot upgrade to a newer version of Free-IPA and > looking at previous mailing list entries version 4 has the same issues crop > up. I have followed the steps that were suggested for version 4 and nothing > is resolving the login issues to the WebGUI. We can administer the users and > hosts from the command line without issues. > > We also are seeing issues on one of the IPA servers that will not sync with > the primary master server. When we try to force a sync we get an error > "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see > expect to see "Update Successful". > This appears after multiple "Update in progress" messages are shown ( the > command we are using is "ipa-replica-manage re-initialize -from <primary > master>" ). When we have the services running on the failing server it stops > users being able to login into clients that authenticate from that failing > Free-IPA server. Once we stop the IPA services on the failing server the > issues clear up. > If we use the "ipa user-status <username>" command we can see failed login > attempts on the server we cannot re-initialize. > > These servers have been running for at least 6 months without any issues, so > network ports between them are all open. > > > Regards > > Stuart >
"session has timed out." usually means that there is an issue with authentications. In recent(fedora, upstream) IPA versions the message was improved so that it distinguishes reasons better. I would try to login to ipa with a new "private"/"incognito" window of a browser to try to login without any existing cookies. If login attempt succeeds then it might indicate a bug which was fixed upstream recently. If it doesn't help, then enable debug level on a server https://www.freeipa.org/page/Troubleshooting#Administration_Framework and examine/send sanitized snippet of /var/log/httpd/error_log which is relevant to the authentication attempt. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project