I think I introduced a red herring by accident, I'm deeply embarrassed to
say.

Our new FreeIPA instance lives in ns01.dev.example.net.  The alternative
hostname is password.example.net

I think that the different domain there was causing some of the problems.
I removed mention of the different domain by accident as part of a search
and replace to remove the company name.

However, by following Jan's directions I've been able to get this to work
using an Apache proxy that rewrites the cookie and referer hostnames.

On Wed, Jun 8, 2016 at 3:29 AM, Martin Kosek <mko...@redhat.com> wrote:

> On 06/01/2016 07:48 PM, Anthony Clark wrote:
> > Hello All,
> >
> > I've been asked to allow access to our FreeIPA web UI from a more user
> friendly
> > url than I'm currently using.  So I've set up a CNAME
> password.example.com
> > <http://password.example.com> for ns01.example.com <
> http://ns01.example.com>
> >
> > At the moment, if I go to the real hostname of the FreeIPA server
> > (ns01.example.com <http://ns01.example.com>), everything works.
> >
> > If I go to the new "friendly" url (password.example.com
> > <http://password.example.com>) then upon login I get a "your session
> has expired
> > please re-login" message.
> >
> > Setting debug to true in /etc/ipa/server.conf shows me that the server
> keeps
> > using new session IDs.  (Host and user names changed to protect the
> innocent)
> >
> > ----- /var/log/httpd/error_log -----
> > [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
> > wsgi_dispatch.__call__:
> > [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
> > jsonserver_session.__call__:
> > [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no
> session
> > cookie found
> > [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no
> session id
> > in request, generating empty session data with
> id=d5bc1c4cab8d3bfaee63b84805147995
> > [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store
> > session: session_id=d5bc1c4cab8d3bfaee63b84805147995
> > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
> > expiration_timestamp=1970-01-01T00:00:00
> > [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG:
> > jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995
> > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
> > expiration_timestamp=1970-01-01T00:00:00
> > [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no
> ccache,
> > need login
> > [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG:
> > jsonserver_session: 401 Unauthorized need login
> > [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
> > wsgi_dispatch.__call__:
> > [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
> > login_password.__call__:
> > [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG:
> Obtaining
> > armor ccache: principal=HTTP/ns01.example....@example.com
> > <mailto:ns01.example....@example.com> keytab=/etc/httpd/conf/ipa.keytab
> > ccache=/var/run/ipa_memcached/krbcc_A_aclark
> > [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG:
> Initializing
> > principal HTTP/ns01.example....@example.com
> > <mailto:ns01.example....@example.com> using keytab
> /etc/httpd/conf/ipa.keytab
> > [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using
> ccache
> > /var/run/ipa_memcached/krbcc_A_aclark
> > [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG:
> Attempt 1/1:
> > success
> > [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG:
> Initializing
> > principal acl...@example.com <mailto:acl...@example.com> using password
> > [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using
> armor
> > ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth
> > [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG:
> Starting
> > external process
> > [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG:
> > args='/usr/bin/kinit' 'acl...@example.com <mailto:acl...@example.com>'
> '-c'
> > 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T'
> > '/var/run/ipa_memcached/krbcc_A_aclark'
> > [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG:
> Process
> > finished, return code=0
> > [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG:
> > stdout=Password for acl...@example.com <mailto:acl...@example.com>:
> > [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492]
> > [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG:
> stderr=
> > [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG:
> Cleanup the
> > armor ccache
> > [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG:
> Starting
> > external process
> > [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG:
> > args='/usr/bin/kdestroy' '-A' '-c'
> '/var/run/ipa_memcached/krbcc_A_aclark'
> > [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG:
> Process
> > finished, return code=0
> > [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG:
> stdout=
> > [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG:
> stderr=
> > [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no
> session
> > cookie found
> > [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no
> session id
> > in request, generating empty session data with
> id=7ab08ba17d30883cff480af9e923cf82
> > [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store
> > session: session_id=7ab08ba17d30883cff480af9e923cf82
> > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
> > expiration_timestamp=1970-01-01T00:00:00
> > [Wed Jun 01 17:11:26.096596 2016] [:error] [pid 31492] ipa: DEBUG:
> > finalize_kerberos_acquisition: login_password
> > ccache_name="FILE:/var/run/ipa_memcached/krbcc_31492"
> > session_id="7ab08ba17d30883cff480af9e923cf82"
> > [Wed Jun 01 17:11:26.096774 2016] [:error] [pid 31492] ipa: DEBUG:
> reading
> > ccache data from file "/var/run/ipa_memcached/krbcc_31492"
> > [Wed Jun 01 17:11:26.097937 2016] [:error] [pid 31492] ipa: DEBUG:
> > get_credential_times: principal=krbtgt/example....@example.com
> > <mailto:example....@example.com>, authtime=06/01/16 17:11:26,
> starttime=06/01/16
> > 17:11:26, endtime=06/02/16 17:11:26, renew_till=01/01/70 00:00:00
> > [Wed Jun 01 17:11:26.098111 2016] [:error] [pid 31492] ipa: DEBUG:
> KRB5_CCache
> > FILE:/var/run/ipa_memcached/krbcc_31492 endtime=1464887486 (06/02/16
> 17:11:26)
> > [Wed Jun 01 17:11:26.098361 2016] [:error] [pid 31492] ipa: DEBUG:
> > set_session_expiration_time: duration_type=inactivity_timeout
> duration=3600
> > max_age=1464887186 expiration=1464804686.1 (2016-06-01T18:11:26)
> > [Wed Jun 01 17:11:26.098526 2016] [:error] [pid 31492] ipa: DEBUG: store
> > session: session_id=7ab08ba17d30883cff480af9e923cf82
> > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
> > expiration_timestamp=2016-06-01T18:11:26
> > [Wed Jun 01 17:11:26.099871 2016] [:error] [pid 31492] ipa: ERROR:
> > release_ipa_ccache: ccache_name
> (FILE:/var/run/ipa_memcached/krbcc_31492) !=
> > KRB5CCNAME environment variable (/var/run/httpd/ipa/krbcache/krb5ccache)
> > [Wed Jun 01 17:11:26.163524 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
> > wsgi_dispatch.__call__:
> > [Wed Jun 01 17:11:26.163708 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
> > jsonserver_session.__call__:
> > [Wed Jun 01 17:11:26.163974 2016] [:error] [pid 31491] ipa: DEBUG: no
> session
> > cookie found
> > [Wed Jun 01 17:11:26.164464 2016] [:error] [pid 31491] ipa: DEBUG: no
> session id
> > in request, generating empty session data with
> id=433125db49c7ca9eb286c3ecf605d55d
> > [Wed Jun 01 17:11:26.164713 2016] [:error] [pid 31491] ipa: DEBUG: store
> > session: session_id=433125db49c7ca9eb286c3ecf605d55d
> > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
> > expiration_timestamp=1970-01-01T00:00:00
> > [Wed Jun 01 17:11:26.165181 2016] [:error] [pid 31491] ipa: DEBUG:
> > jsonserver_session.__call__: session_id=433125db49c7ca9eb286c3ecf605d55d
> > start_timestamp=2016-06-01T17:11:26 access_timestamp=2016-06-01T17:11:26
> > expiration_timestamp=1970-01-01T00:00:00
> > [Wed Jun 01 17:11:26.165301 2016] [:error] [pid 31491] ipa: DEBUG: no
> ccache,
> > need login
> > [Wed Jun 01 17:11:26.165401 2016] [:error] [pid 31491] ipa: DEBUG:
> > jsonserver_session: 401 Unauthorized need login
> > ----- /var/log/httpd/error_log -----
> >
> > I'm somewhat at a loss to debug this further.  I was wondering if the
> session
> > storage is somehow bound to the original host name.  Is there a way to
> check
> > and/or configure this?
> >
> > Alternatively is there a guide out there for enabling additional host
> names for
> > the web UI in FreeIPA?
>
> Good question. I see there was no reply for this thread (note that most of
> the
> developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise.
>
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to