Hello All, I've been asked to allow access to our FreeIPA web UI from a more user friendly url than I'm currently using. So I've set up a CNAME password.example.com for ns01.example.com
At the moment, if I go to the real hostname of the FreeIPA server ( ns01.example.com), everything works. If I go to the new "friendly" url (password.example.com) then upon login I get a "your session has expired please re-login" message. Setting debug to true in /etc/ipa/server.conf shows me that the server keeps using new session IDs. (Host and user names changed to protect the innocent) ----- /var/log/httpd/error_log ----- [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI jsonserver_session.__call__: [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no session cookie found [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no session id in request, generating empty session data with id=d5bc1c4cab8d3bfaee63b84805147995 [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store session: session_id=d5bc1c4cab8d3bfaee63b84805147995 start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, need login [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI login_password.__call__: [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/ns01.example....@example.com keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_aclark [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: Initializing principal HTTP/ns01.example....@example.com using keytab /etc/httpd/conf/ipa.keytab [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using ccache /var/run/ipa_memcached/krbcc_A_aclark [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt 1/1: success [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: Initializing principal acl...@example.com using password [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using armor ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting external process [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: args='/usr/bin/kinit' 'acl...@example.com' '-c' 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' '/var/run/ipa_memcached/krbcc_A_aclark' [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process finished, return code=0 [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG: stdout=Password for acl...@example.com: [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492] [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr= [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup the armor ccache [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting external process [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark' [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process finished, return code=0 [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout= [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr= [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no session cookie found [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no session id in request, generating empty session data with id=7ab08ba17d30883cff480af9e923cf82 [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store session: session_id=7ab08ba17d30883cff480af9e923cf82 start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492" session_id="7ab08ba17d30883cff480af9e923cf82" [Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_31492" [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG: get_credential_times: principal=krbtgt/example....@example.com, authtime=06/01/16 17:11:26, starttime=06/01/16 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00 [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16 17:11:26) [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG: set_session_expiration_time: duration_type=inactivity_timeout duration=3600 max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26) [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store session: session_id=7ab08ba17d30883cff480af9e923cf82 start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=2016-06-01T18:11:26 [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR: release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_31492) != KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache) [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI jsonserver_session.__call__: [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no session cookie found [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no session id in request, generating empty session data with id=433125db49c7ca9eb286c3ecf605d55d [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store session: session_id=433125db49c7ca9eb286c3ecf605d55d start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 expiration_timestamp=1970-01-01T00:00:00 [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, need login [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG: jsonserver_session: 401 Unauthorized need login ----- /var/log/httpd/error_log ----- I'm somewhat at a loss to debug this further. I was wondering if the session storage is somehow bound to the original host name. Is there a way to check and/or configure this? Alternatively is there a guide out there for enabling additional host names for the web UI in FreeIPA? Thanks, Anthony Clark
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project