Re: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP Sync issues
> -Original Message- > From: Petr Vobornik [mailto:pvobo...@redhat.com] > Sent: 19 April 2016 15:26 > To: Mitchell, Stuart <mitch...@hpe.com>; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP > Sync issues > > On 04/19/2016 03:35 PM, Mitchell, Stuart wrote: > > Hello, > > > > We are having issues with the web interface on our free-ipa servers. When > we try and login to the GUI is reports that the session has timed out. We > have checked the date and time is synced with NTP. We have restarted the > IPA services and same issues occur. We have 4 Free-IPA servers all > configured as masters, all 4 show the same web gui login issues. 3 of the > servers replicate the database from the primary Free-IPA server which > connects to the AD domain using winsync. We cannot upgrade to a newer > version of Free-IPA and looking at previous mailing list entries version 4 has > the same issues crop up. I have followed the steps that were suggested for > version 4 and nothing is resolving the login issues to the WebGUI. We can > administer the users and hosts from the command line without issues. > > > > We also are seeing issues on one of the IPA servers that will not sync with > the primary master server. When we try to force a sync we get an error > "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see > expect to see "Update Successful". > > This appears after multiple "Update in progress" messages are shown ( > the command we are using is "ipa-replica-manage re-initialize -from master>" ). When we have the services running on the failing server it stops > users being able to login into clients that authenticate from that failing > Free- > IPA server. Once we stop the IPA services on the failing server the issues > clear up. > > If we use the "ipa user-status " command we can see failed > login attempts on the server we cannot re-initialize. > > > > These servers have been running for at least 6 months without any issues, > so network ports between them are all open. > > > > > > Regards > > > > Stuart > > > > "session has timed out." usually means that there is an issue with > authentications. In recent(fedora, upstream) IPA versions the message was > improved so that it distinguishes reasons better. > > I would try to login to ipa with a new "private"/"incognito" window of a > browser to try to login without any existing cookies. > > If login attempt succeeds then it might indicate a bug which was fixed > upstream recently. > > If it doesn't help, then enable debug level on a server > https://www.freeipa.org/page/Troubleshooting#Administration_Framewor > k > and examine/send sanitized snippet of /var/log/httpd/error_log which is > relevant to the authentication attempt. > -- > Petr Vobornik Thanks Petr, Going incognito has resolved the session errors with logging into the webgui. Regards Stuart -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP Sync issues
On 04/19/2016 03:35 PM, Mitchell, Stuart wrote: > Hello, > > We are having issues with the web interface on our free-ipa servers. When we > try and login to the GUI is reports that the session has timed out. We have > checked the date and time is synced with NTP. We have restarted the IPA > services and same issues occur. We have 4 Free-IPA servers all configured as > masters, all 4 show the same web gui login issues. 3 of the servers > replicate the database from the primary Free-IPA server which connects to the > AD domain using winsync. We cannot upgrade to a newer version of Free-IPA and > looking at previous mailing list entries version 4 has the same issues crop > up. I have followed the steps that were suggested for version 4 and nothing > is resolving the login issues to the WebGUI. We can administer the users and > hosts from the command line without issues. > > We also are seeing issues on one of the IPA servers that will not sync with > the primary master server. When we try to force a sync we get an error > "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see > expect to see "Update Successful". > This appears after multiple "Update in progress" messages are shown ( the > command we are using is "ipa-replica-manage re-initialize -from master>" ). When we have the services running on the failing server it stops > users being able to login into clients that authenticate from that failing > Free-IPA server. Once we stop the IPA services on the failing server the > issues clear up. > If we use the "ipa user-status " command we can see failed login > attempts on the server we cannot re-initialize. > > These servers have been running for at least 6 months without any issues, so > network ports between them are all open. > > > Regards > > Stuart > "session has timed out." usually means that there is an issue with authentications. In recent(fedora, upstream) IPA versions the message was improved so that it distinguishes reasons better. I would try to login to ipa with a new "private"/"incognito" window of a browser to try to login without any existing cookies. If login attempt succeeds then it might indicate a bug which was fixed upstream recently. If it doesn't help, then enable debug level on a server https://www.freeipa.org/page/Troubleshooting#Administration_Framework and examine/send sanitized snippet of /var/log/httpd/error_log which is relevant to the authentication attempt. -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP Sync issues
Hello, We are having issues with the web interface on our free-ipa servers. When we try and login to the GUI is reports that the session has timed out. We have checked the date and time is synced with NTP. We have restarted the IPA services and same issues occur. We have 4 Free-IPA servers all configured as masters, all 4 show the same web gui login issues. 3 of the servers replicate the database from the primary Free-IPA server which connects to the AD domain using winsync. We cannot upgrade to a newer version of Free-IPA and looking at previous mailing list entries version 4 has the same issues crop up. I have followed the steps that were suggested for version 4 and nothing is resolving the login issues to the WebGUI. We can administer the users and hosts from the command line without issues. We also are seeing issues on one of the IPA servers that will not sync with the primary master server. When we try to force a sync we get an error "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see expect to see "Update Successful". This appears after multiple "Update in progress" messages are shown ( the command we are using is "ipa-replica-manage re-initialize -from " ). When we have the services running on the failing server it stops users being able to login into clients that authenticate from that failing Free-IPA server. Once we stop the IPA services on the failing server the issues clear up. If we use the "ipa user-status " command we can see failed login attempts on the server we cannot re-initialize. These servers have been running for at least 6 months without any issues, so network ports between them are all open. Regards Stuart -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
