Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

[Christopher Lamb]

Hi Martin

That is great. However you may wish to qualify what significant is.

In the case of the original clock-skew problems (between the IPA LDAP
Server and sssd clients on other servers), a skew in the order of 5 minutes
was enough to prevent us sshing into our servers with an ldap user.

You might also want to repeat the hint that if the FreeIPA Server is
running in a VM, it must NEVER be a NTPD server for other servers, as VMs
are notorious for bad time keeping.

Cheers

Chris



From:   Martin Kosek mko...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Date:   28.04.2015 14:13
Subject:Re: [Freeipa-users] Fw:  Web ui error “Your session has
expired. Please re-login.” from a browser on a remote client.



On 04/27/2015 06:09 PM, Christopher Lamb wrote:

 Hi All

 I may have found a possible cause of our instance of the  Your session
has
 expired Web UI error on our new FreeIPA 4.1.0 Server

 By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
 surprise, despite running ntpd it was 2 hours in the future!

 Some moons ago we suffering from clock-skew problems, and had spent a lot
 of time understanding ntp, and setting up an optimal ntp
 architecture /config. We were able to completely eliminate clock-skew
 across all our servers.

 Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
 NTPD servers with 4 RedHat NTPD servers.

 Therefore I returned the /etc/ntp.conf file to our default, restarted
ntpd,
 and time was correct again.

 Subsequent to this (at least at various points today) I have been able to
 successfully log into the Web UI from Firefox and Safari on OSX, and
 Firefox on Windows. On both platforms Chrome (not supported) does not
work.

 I confess I have not had the time to return to the FreeIPA ntp config to
 see if the 2 hour offset + Web UI session problem can be reproduced, so
at
 the moment this remains a credible, but not proven hypothesis.

 However I guess that  2 hour offset probably comes from the 2 hour
 difference between UTC and European Summertime.

 I think it would be great if the changes made by FreeIPA setup to
ntp.conf
 were optional - we care strongly about the content of that file!

 Cheers

 Chris

Good to know. I updated the Troubleshooting page with this tip:
https://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI

Thanks!
Martin



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

[Martin Kosek]

On 04/27/2015 06:09 PM, Christopher Lamb wrote:
 
 Hi All
 
 I may have found a possible cause of our instance of the  Your session has
 expired Web UI error on our new FreeIPA 4.1.0 Server
 
 By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
 surprise, despite running ntpd it was 2 hours in the future!
 
 Some moons ago we suffering from clock-skew problems, and had spent a lot
 of time understanding ntp, and setting up an optimal ntp
 architecture /config. We were able to completely eliminate clock-skew
 across all our servers.
 
 Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
 NTPD servers with 4 RedHat NTPD servers.
 
 Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd,
 and time was correct again.
 
 Subsequent to this (at least at various points today) I have been able to
 successfully log into the Web UI from Firefox and Safari on OSX, and
 Firefox on Windows. On both platforms Chrome (not supported) does not work.
 
 I confess I have not had the time to return to the FreeIPA ntp config to
 see if the 2 hour offset + Web UI session problem can be reproduced, so at
 the moment this remains a credible, but not proven hypothesis.
 
 However I guess that  2 hour offset probably comes from the 2 hour
 difference between UTC and European Summertime.
 
 I think it would be great if the changes made by FreeIPA setup to ntp.conf
 were optional - we care strongly about the content of that file!
 
 Cheers
 
 Chris

Good to know. I updated the Troubleshooting page with this tip:
https://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI

Thanks!
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

[Martin Basti]

Hello, comments inline

Martin

On 27/04/15 18:09, Christopher Lamb wrote:

Hi All

I may have found a possible cause of our instance of the  Your session has
expired Web UI error on our new FreeIPA 4.1.0 Server

By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
surprise, despite running ntpd it was 2 hours in the future!

Yes, time is important for successful kerberos login.


Some moons ago we suffering from clock-skew problems, and had spent a lot
of time understanding ntp, and setting up an optimal ntp
architecture /config. We were able to completely eliminate clock-skew
across all our servers.

Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
NTPD servers with 4 RedHat NTPD servers.

We plan fix this in new version


Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd,
and time was correct again.

Subsequent to this (at least at various points today) I have been able to
successfully log into the Web UI from Firefox and Safari on OSX, and
Firefox on Windows. On both platforms Chrome (not supported) does not work.

I confess I have not had the time to return to the FreeIPA ntp config to
see if the 2 hour offset + Web UI session problem can be reproduced, so at
the moment this remains a credible, but not proven hypothesis.

However I guess that  2 hour offset probably comes from the 2 hour
difference between UTC and European Summertime.

I think it would be great if the changes made by FreeIPA setup to ntp.conf
were optional - we care strongly about the content of that file!


ipa-server-install

-N, --no-ntpdo not configure ntp


Cheers

Chris


- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36
-

From:   Christopher Lamb/Switzerland/IBM@IBMCH
To: freeipa-users@redhat.com
Date:   26.04.2015 01:29
Subject:[Freeipa-users] Web ui error “Your session has expired. Please
 re-login.” from a browser on a remote client.
Sent by:freeipa-users-boun...@redhat.com




Hi All

I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on  remote client(s),
similar to the existing tickets:

https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html

We have 2 FreeIPA installations:
An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
The “new” instance, v4.1.0, on a fresh install of OEL 7.0

The error occurs on both instances.

I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
etc)
Very sporadically one of the above browsers will “let me in” - If I cycle
through all the browsers on various workstations / laptops on my desk
somtimes I get lucky and one will work.

kinit in a ssh session works.

SELinux is disabled.

All IPA Services are running.

I can find no error(s) in /var/log/httpd/error_log

In /var/log/krb5kdc.log I get entries like:
Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
{rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com
Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
fd 12

If I enter a wrong password, I correctly get “The password or username you
entered is incorrect. “, +  errors in /var/log/httpd/error_log

None of the browsers have a krb5 ticket installed.

I get the error with both my user, and the default admin user.

From the same browsers I can successfully access the Web UI of the public
demo on https://ipa.demo1.freeipa.org/ipa/ui/

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Martin Basti

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Fw: Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

[Christopher Lamb]

Hi All

I may have found a possible cause of our instance of the  Your session has
expired Web UI error on our new FreeIPA 4.1.0 Server

By chance I checked the date on the server hosting FreeIPA 4.1.0. To my
surprise, despite running ntpd it was 2 hours in the future!

Some moons ago we suffering from clock-skew problems, and had spent a lot
of time understanding ntp, and setting up an optimal ntp
architecture /config. We were able to completely eliminate clock-skew
across all our servers.

Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4
NTPD servers with 4 RedHat NTPD servers.

Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd,
and time was correct again.

Subsequent to this (at least at various points today) I have been able to
successfully log into the Web UI from Firefox and Safari on OSX, and
Firefox on Windows. On both platforms Chrome (not supported) does not work.

I confess I have not had the time to return to the FreeIPA ntp config to
see if the 2 hour offset + Web UI session problem can be reproduced, so at
the moment this remains a credible, but not proven hypothesis.

However I guess that  2 hour offset probably comes from the 2 hour
difference between UTC and European Summertime.

I think it would be great if the changes made by FreeIPA setup to ntp.conf
were optional - we care strongly about the content of that file!

Cheers

Chris


- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36
-

From:   Christopher Lamb/Switzerland/IBM@IBMCH
To: freeipa-users@redhat.com
Date:   26.04.2015 01:29
Subject:[Freeipa-users] Web ui error “Your session has expired. Please
re-login.” from a browser on a remote client.
Sent by:freeipa-users-boun...@redhat.com




Hi All

I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on  remote client(s),
similar to the existing tickets:

https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html

We have 2 FreeIPA installations:
An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
The “new” instance, v4.1.0, on a fresh install of OEL 7.0

The error occurs on both instances.

I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
etc)
Very sporadically one of the above browsers will “let me in” - If I cycle
through all the browsers on various workstations / laptops on my desk
somtimes I get lucky and one will work.

kinit in a ssh session works.

SELinux is disabled.

All IPA Services are running.

I can find no error(s) in /var/log/httpd/error_log

In /var/log/krb5kdc.log I get entries like:
Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
{rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com
Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
fd 12

If I enter a wrong password, I correctly get “The password or username you
entered is incorrect. “, +  errors in /var/log/httpd/error_log

None of the browsers have a krb5 ticket installed.

I get the error with both my user, and the default admin user.

From the same browsers I can successfully access the Web UI of the public
demo on https://ipa.demo1.freeipa.org/ipa/ui/

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project