On 06/01/2016 07:48 PM, Anthony Clark wrote: > Hello All, > > I've been asked to allow access to our FreeIPA web UI from a more user > friendly > url than I'm currently using. So I've set up a CNAME password.example.com > <http://password.example.com> for ns01.example.com <http://ns01.example.com> > > At the moment, if I go to the real hostname of the FreeIPA server > (ns01.example.com <http://ns01.example.com>), everything works. > > If I go to the new "friendly" url (password.example.com > <http://password.example.com>) then upon login I get a "your session has > expired > please re-login" message. > > Setting debug to true in /etc/ipa/server.conf shows me that the server keeps > using new session IDs. (Host and user names changed to protect the innocent) > > ----- /var/log/httpd/error_log ----- > [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > jsonserver_session.__call__: > [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no session > cookie found > [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no session > id > in request, generating empty session data with > id=d5bc1c4cab8d3bfaee63b84805147995 > [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store > session: session_id=d5bc1c4cab8d3bfaee63b84805147995 > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, > need login > [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session: 401 Unauthorized need login > [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI > login_password.__call__: > [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: Obtaining > armor ccache: principal=HTTP/[email protected] > <mailto:[email protected]> keytab=/etc/httpd/conf/ipa.keytab > ccache=/var/run/ipa_memcached/krbcc_A_aclark > [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: > Initializing > principal HTTP/[email protected] > <mailto:[email protected]> using keytab /etc/httpd/conf/ipa.keytab > [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using > ccache > /var/run/ipa_memcached/krbcc_A_aclark > [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt > 1/1: > success > [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: > Initializing > principal [email protected] <mailto:[email protected]> using password > [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using > armor > ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth > [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting > external process > [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: > args='/usr/bin/kinit' '[email protected] <mailto:[email protected]>' '-c' > 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' > '/var/run/ipa_memcached/krbcc_A_aclark' > [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process > finished, return code=0 > [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG: > stdout=Password for [email protected] <mailto:[email protected]>: > [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492] > [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr= > [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup > the > armor ccache > [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting > external process > [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG: > args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark' > [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process > finished, return code=0 > [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout= > [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr= > [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no session > cookie found > [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no session > id > in request, generating empty session data with > id=7ab08ba17d30883cff480af9e923cf82 > [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store > session: session_id=7ab08ba17d30883cff480af9e923cf82 > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG: > finalize_kerberos_acquisition: login_password > ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492" > session_id="7ab08ba17d30883cff480af9e923cf82" > [Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG: reading > ccache data from file "/var/run/ipa_memcached/krbcc_31492" > [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG: > get_credential_times: principal=krbtgt/[email protected] > <mailto:[email protected]>, authtime=06/01/16 17:11:26, > starttime=06/01/16 > 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00 > [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG: > KRB5_CCache > FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16 17:11:26) > [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG: > set_session_expiration_time: duration_type=inactivity_timeout duration=3600 > max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26) > [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store > session: session_id=7ab08ba17d30883cff480af9e923cf82 > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=2016-06-01T18:11:26 > [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR: > release_ipa_ccache: ccache_name (FILE:/var/run/ipa_memcached/krbcc_31492) != > KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache) > [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI > jsonserver_session.__call__: > [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no session > cookie found > [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no session > id > in request, generating empty session data with > id=433125db49c7ca9eb286c3ecf605d55d > [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store > session: session_id=433125db49c7ca9eb286c3ecf605d55d > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26 > expiration_timestamp=1970-01-01T00:00:00 > [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, > need login > [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG: > jsonserver_session: 401 Unauthorized need login > ----- /var/log/httpd/error_log ----- > > I'm somewhat at a loss to debug this further. I was wondering if the session > storage is somehow bound to the original host name. Is there a way to check > and/or configure this? > > Alternatively is there a guide out there for enabling additional host names > for > the web UI in FreeIPA?
Good question. I see there was no reply for this thread (note that most of the developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
