Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-02-02 Thread Alexander Bokovoy 

On Tue, 02 Feb 2016, Christopher Lamb wrote:


Hi Petr

I get exactly the same behaviour ever so often. We are running IPA server
4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases
too).

In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server
running the IPA server have time within seconds / milliseconds of one
another. The server uses NTPD (and has full missile lock on the NTP pool
servers), and the laptop uses whatever OSX uses to keep time accurate.

As I only need to use the FreeIPA WebUI rarely (every few months or so) the
exact behaviour is difficult to pin down. It seems to work like this:

a) I will sometimes have access without the "your session has expired"
error. Typically this is when I have not used FreeIPA for a long time
(months).

b) then some days later, when I revisit the WebUI, the "your session has
expired" error will crop up.

c) as I have access to several workstations, each with several browsers
installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that
does not give the error (while the others do).

Just like the OP, the workstations are not FreeIPA hosts (or servers), and
we use login /pw for the WebUI.

Can you hit ctrl+shift+I in Firefox (open development console), select
'Network' tab there, hit reload, and explore the requests/responses
there when the error is manifested. Unfortunately, there is no way to
copy out the whole traffic but you can at least make screenshots.

This approach allows you to see what's happening inside the
communication without need to decode SSL traffic in Wireshark.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-02-02 Thread Christopher Lamb 







From:   Alexander Bokovoy <aboko...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: Petr Vobornik <pvobo...@redhat.com>, freeipa-users@redhat.com,
wodel youchi <wodel.you...@gmail.com>
Date:   02.02.2016 09:32
Subject:    Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your
        session has expired



On Tue, 02 Feb 2016, Christopher Lamb wrote:
>
>Hi Petr
>
>I get exactly the same behaviour ever so often. We are running IPA server
>4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier
releases
>too).
>
>In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server
>running the IPA server have time within seconds / milliseconds of one
>another. The server uses NTPD (and has full missile lock on the NTP pool
>servers), and the laptop uses whatever OSX uses to keep time accurate.
>
>As I only need to use the FreeIPA WebUI rarely (every few months or so)
the
>exact behaviour is difficult to pin down. It seems to work like this:
>
>a) I will sometimes have access without the "your session has expired"
>error. Typically this is when I have not used FreeIPA for a long time
>(months).
>
>b) then some days later, when I revisit the WebUI, the "your session has
>expired" error will crop up.
>
>c) as I have access to several workstations, each with several browsers
>installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that
>does not give the error (while the others do).
>
>Just like the OP, the workstations are not FreeIPA hosts (or servers), and
>we use login /pw for the WebUI.
Can you hit ctrl+shift+I in Firefox (open development console), select
'Network' tab there, hit reload, and explore the requests/responses
there when the error is manifested. Unfortunately, there is no way to
copy out the whole traffic but you can at least make screenshots.

This approach allows you to see what's happening inside the
communication without need to decode SSL traffic in Wireshark.
--
/ Alexander Bokovoy



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-02-02 Thread Petr Vobornik 
The 401 after successful 200 is an issue with session which to browser 
looks as expired session.


Please examine cookie headers of both the 'login_password' and the 
subsequent 'json' request (as written in the other mail).


On 02/02/2016 09:40 AM, Christopher Lamb wrote:


From:   Alexander Bokovoy <aboko...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH
Cc: Petr Vobornik <pvobo...@redhat.com>, freeipa-users@redhat.com,
 wodel youchi <wodel.you...@gmail.com>
Date:   02.02.2016 09:32
Subject:    Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your
         session has expired



On Tue, 02 Feb 2016, Christopher Lamb wrote:


Hi Petr

I get exactly the same behaviour ever so often. We are running IPA server
4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier

releases

too).

In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server
running the IPA server have time within seconds / milliseconds of one
another. The server uses NTPD (and has full missile lock on the NTP pool
servers), and the laptop uses whatever OSX uses to keep time accurate.

As I only need to use the FreeIPA WebUI rarely (every few months or so)

the

exact behaviour is difficult to pin down. It seems to work like this:

a) I will sometimes have access without the "your session has expired"
error. Typically this is when I have not used FreeIPA for a long time
(months).

b) then some days later, when I revisit the WebUI, the "your session has
expired" error will crop up.

c) as I have access to several workstations, each with several browsers
installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that
does not give the error (while the others do).

Just like the OP, the workstations are not FreeIPA hosts (or servers), and
we use login /pw for the WebUI.

Can you hit ctrl+shift+I in Firefox (open development console), select
'Network' tab there, hit reload, and explore the requests/responses
there when the error is manifested. Unfortunately, there is no way to
copy out the whole traffic but you can at least make screenshots.

This approach allows you to see what's happening inside the
communication without need to decode SSL traffic in Wireshark.
--
/ Alexander Bokovoy


--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-02-02 Thread Christopher Lamb 

Hi Petr

I get exactly the same behaviour ever so often. We are running IPA server
4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases
too).

In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server
running the IPA server have time within seconds / milliseconds of one
another. The server uses NTPD (and has full missile lock on the NTP pool
servers), and the laptop uses whatever OSX uses to keep time accurate.

As I only need to use the FreeIPA WebUI rarely (every few months or so) the
exact behaviour is difficult to pin down. It seems to work like this:

a) I will sometimes have access without the "your session has expired"
error. Typically this is when I have not used FreeIPA for a long time
(months).

b) then some days later, when I revisit the WebUI, the "your session has
expired" error will crop up.

c) as I have access to several workstations, each with several browsers
installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that
does not give the error (while the others do).

Just like the OP, the workstations are not FreeIPA hosts (or servers), and
we use login /pw for the WebUI.

Chris



From:   Petr Vobornik <pvobo...@redhat.com>
To: wodel youchi <wodel.you...@gmail.com>, Alexander Bokovoy
<aboko...@redhat.com>
Cc: freeipa-users@redhat.com
Date:   02.02.2016 08:48
Subject:    Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your
session has expired
Sent by:freeipa-users-boun...@redhat.com



On 01/31/2016 09:49 AM, wodel youchi wrote:
> Hi,
>
> I miss explained myself apparently, here it is:
>
> I open a session with login/password, I do some work, I left it for a
> while, the session disconnects which is normal.
> I come back, I try to authenticate with login/password it keeps telling
me
> : your session has expired.
>
> Regards.

Is there a time difference between a machine with browser and an IPA
server?

>
> 2016-01-30 17:54 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:
>
>>
>>
>> - Original Message -
>>> Hi,
>>>
>>> When accessing the webui of Freeipa from the browser using login
>> password, I
>>> get your session has expired.
>>>
>>>
>>> As a workaround I have to either :
>>> - Delete the https certificate of the ipa server from the browser and
>> delete
>>> history then relogin again.
>>> - Restart ipa services : ipactl restart
>> - delete cookies in the browser corresponding to IPA server.
>>
>>> PS: The machine I am using to connect to the webui of freeipa is not
>> enrolled
>>> in it, I am using login/pass to connect not kerberos.
>> Web UI session is set to 30 minutes or so.
>>
>> --
>> / Alexander Bokovoy
>>
>
>
>


--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-02-02 Thread Petr Vobornik 

On 02/02/2016 09:14 AM, Christopher Lamb wrote:


Hi Petr

I get exactly the same behaviour ever so often. We are running IPA server
4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases
too).

In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server
running the IPA server have time within seconds / milliseconds of one
another. The server uses NTPD (and has full missile lock on the NTP pool
servers), and the laptop uses whatever OSX uses to keep time accurate.

As I only need to use the FreeIPA WebUI rarely (every few months or so) the
exact behaviour is difficult to pin down. It seems to work like this:

a) I will sometimes have access without the "your session has expired"
error. Typically this is when I have not used FreeIPA for a long time
(months).

b) then some days later, when I revisit the WebUI, the "your session has
expired" error will crop up.

c) as I have access to several workstations, each with several browsers
installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that
does not give the error (while the others do).

Just like the OP, the workstations are not FreeIPA hosts (or servers), and
we use login /pw for the WebUI.


It does not matter if the workastation is FreeIPA host when login /pw is 
used.


When it happens, could you examine Set-Cookie response header of 
login_password request and its response in browser developer tools.


It would be good to find out if the response is successful(200) and what 
is the cookie expiration date. If it's not successful, then what is in 
response and in X-IPA-Rejection-Reason response header.


https://pvoborni.fedorapeople.org/images/ff-dev-tools-xhr.png



Chris



From:   Petr Vobornik <pvobo...@redhat.com>
To: wodel youchi <wodel.you...@gmail.com>, Alexander Bokovoy
 <aboko...@redhat.com>
Cc: freeipa-users@redhat.com
Date:   02.02.2016 08:48
Subject:    Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your
 session has expired
Sent by:freeipa-users-boun...@redhat.com



On 01/31/2016 09:49 AM, wodel youchi wrote:

Hi,

I miss explained myself apparently, here it is:

I open a session with login/password, I do some work, I left it for a
while, the session disconnects which is normal.
I come back, I try to authenticate with login/password it keeps telling

me

: your session has expired.

Regards.


Is there a time difference between a machine with browser and an IPA
server?



2016-01-30 17:54 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:




- Original Message -

Hi,

When accessing the webui of Freeipa from the browser using login

password, I

get your session has expired.


As a workaround I have to either :
- Delete the https certificate of the ipa server from the browser and

delete

history then relogin again.
- Restart ipa services : ipactl restart

- delete cookies in the browser corresponding to IPA server.


PS: The machine I am using to connect to the webui of freeipa is not

enrolled

in it, I am using login/pass to connect not kerberos.

Web UI session is set to 30 minutes or so.

--
/ Alexander Bokovoy








--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project




--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-02-01 Thread Petr Vobornik 

On 01/31/2016 09:49 AM, wodel youchi wrote:

Hi,

I miss explained myself apparently, here it is:

I open a session with login/password, I do some work, I left it for a
while, the session disconnects which is normal.
I come back, I try to authenticate with login/password it keeps telling me
: your session has expired.

Regards.


Is there a time difference between a machine with browser and an IPA server?



2016-01-30 17:54 GMT+01:00 Alexander Bokovoy :




- Original Message -

Hi,

When accessing the webui of Freeipa from the browser using login

password, I

get your session has expired.


As a workaround I have to either :
- Delete the https certificate of the ipa server from the browser and

delete

history then relogin again.
- Restart ipa services : ipactl restart

- delete cookies in the browser corresponding to IPA server.


PS: The machine I am using to connect to the webui of freeipa is not

enrolled

in it, I am using login/pass to connect not kerberos.

Web UI session is set to 30 minutes or so.

--
/ Alexander Bokovoy








--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-01-31 Thread wodel youchi 
Hi,

I miss explained myself apparently, here it is:

I open a session with login/password, I do some work, I left it for a
while, the session disconnects which is normal.
I come back, I try to authenticate with login/password it keeps telling me
: your session has expired.

Regards.

2016-01-30 17:54 GMT+01:00 Alexander Bokovoy :

>
>
> - Original Message -
> > Hi,
> >
> > When accessing the webui of Freeipa from the browser using login
> password, I
> > get your session has expired.
> >
> >
> > As a workaround I have to either :
> > - Delete the https certificate of the ipa server from the browser and
> delete
> > history then relogin again.
> > - Restart ipa services : ipactl restart
> - delete cookies in the browser corresponding to IPA server.
>
> > PS: The machine I am using to connect to the webui of freeipa is not
> enrolled
> > in it, I am using login/pass to connect not kerberos.
> Web UI session is set to 30 minutes or so.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired

2016-01-30 Thread Alexander Bokovoy 


- Original Message -
> Hi,
> 
> When accessing the webui of Freeipa from the browser using login password, I
> get your session has expired.
> 
> 
> As a workaround I have to either :
> - Delete the https certificate of the ipa server from the browser and delete
> history then relogin again.
> - Restart ipa services : ipactl restart
- delete cookies in the browser corresponding to IPA server.

> PS: The machine I am using to connect to the webui of freeipa is not enrolled
> in it, I am using login/pass to connect not kerberos.
Web UI session is set to 30 minutes or so.

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project