Re: [Freeipa-users] unable to logout of IPA
Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? Maybe you could try a different browser to see if logging out works. Thanks, Dan On Thu, Jul 26, 2012 at 9:39 PM, Steven Jones steven.jo...@vuw.ac.nz wrote: So if i just click on logout, I should just logout as if i kdestroy'd? If so, when I do that why doesnt that cleanup occur? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Friday, 27 July 2012 4:01 p.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] unable to logout of IPA On Fri, 2012-07-27 at 03:14 +, Steven Jones wrote: When in IPA, when I click on the logout I expect to logout so I can login as another user, === Logged In As: steven jones | Logout === Clicking on logout, and clearing history in Firefox and even closing all instances of Firefox and restarting see me looged back in as my adm account... So what do I need to do to flush? reboot my workstation? logout or manually run kdestroy Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] unable to logout of IPA
On 07/27/2012 03:28 PM, John Dennis wrote: On 07/27/2012 02:06 AM, Dan Scott wrote: Hi, I'm not sure if this is relevant, but Firefox preserves session cookies across browser restarts. This was discussed on the Security Now! podcast recently: http://www.grc.com/sn/sn-360.htm Search for 'sessionstore' and read a little before and after. Are session cookies relevant for kerberos authentication? It's only tangentially relevant. IPA does use session cookies. IPA logout destroys the session on the server making the session cookie stored in the browser invalid. However, SSO (Single Sign-On) continues to work as it's supposed to. As long as you have valid credentials in your kerberos cache you'll be automatically logged in (albeit with a brand new session and session cookie). All this is by design. You can logout of IPA which destroys your session, but unless you also destroy your credentials the automatic SSO process will be applied the next time you visit the web UI. Would it be possible to add login as another user functionality? I mean destroy session ignore any Kerberos tickets start form-based auth? IMHO it could be handy, at least for demonstration purposes. Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Error 4205 attribute idnsAllowTransfer not allowed
On Thu, 2012-07-26 at 09:47 +0200, Robert Bowell wrote: Hi, I'm encountering a strange problem.. upon trying to add a new DNS zone the following message is being displayed attribute idnsAllowTransfer not allowed and the DNS entry is not created. Has any one ever encountered such a problem if so what needs to be done to resolve it ? IPA server version 2.1.3. API version 2.13 Was this server upgraded from a 2.0.x one ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users