Re: [Freeipa-users] sessions failing when using different hostname

2016-06-08 Thread Anthony Clark 
I think I introduced a red herring by accident, I'm deeply embarrassed to
say.

Our new FreeIPA instance lives in ns01.dev.example.net.  The alternative
hostname is password.example.net

I think that the different domain there was causing some of the problems.
I removed mention of the different domain by accident as part of a search
and replace to remove the company name.

However, by following Jan's directions I've been able to get this to work
using an Apache proxy that rewrites the cookie and referer hostnames.

On Wed, Jun 8, 2016 at 3:29 AM, Martin Kosek  wrote:

> On 06/01/2016 07:48 PM, Anthony Clark wrote:
> > Hello All,
> >
> > I've been asked to allow access to our FreeIPA web UI from a more user
> friendly
> > url than I'm currently using.  So I've set up a CNAME
> password.example.com
> >  for ns01.example.com <
> http://ns01.example.com>
> >
> > At the moment, if I go to the real hostname of the FreeIPA server
> > (ns01.example.com ), everything works.
> >
> > If I go to the new "friendly" url (password.example.com
> > ) then upon login I get a "your session
> has expired
> > please re-login" message.
> >
> > Setting debug to true in /etc/ipa/server.conf shows me that the server
> keeps
> > using new session IDs.  (Host and user names changed to protect the
> innocent)
> >
> > - /var/log/httpd/error_log -
> > [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
> > wsgi_dispatch.__call__:
> > [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI
> > jsonserver_session.__call__:
> > [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no
> session
> > cookie found
> > [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no
> session id
> > in request, generating empty session data with
> id=d5bc1c4cab8d3bfaee63b84805147995
> > [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store
> > session: session_id=d5bc1c4cab8d3bfaee63b84805147995
> > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
> > expiration_timestamp=1970-01-01T00:00:00
> > [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG:
> > jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995
> > start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06
> > expiration_timestamp=1970-01-01T00:00:00
> > [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no
> ccache,
> > need login
> > [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG:
> > jsonserver_session: 401 Unauthorized need login
> > [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
> > wsgi_dispatch.__call__:
> > [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI
> > login_password.__call__:
> > [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG:
> Obtaining
> > armor ccache: principal=HTTP/ns01.example@example.com
> >  keytab=/etc/httpd/conf/ipa.keytab
> > ccache=/var/run/ipa_memcached/krbcc_A_aclark
> > [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG:
> Initializing
> > principal HTTP/ns01.example@example.com
> >  using keytab
> /etc/httpd/conf/ipa.keytab
> > [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using
> ccache
> > /var/run/ipa_memcached/krbcc_A_aclark
> > [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG:
> Attempt 1/1:
> > success
> > [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG:
> Initializing
> > principal acl...@example.com  using password
> > [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using
> armor
> > ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth
> > [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG:
> Starting
> > external process
> > [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG:
> > args='/usr/bin/kinit' 'acl...@example.com '
> '-c'
> > 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T'
> > '/var/run/ipa_memcached/krbcc_A_aclark'
> > [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG:
> Process
> > finished, return code=0
> > [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG:
> > stdout=Password for acl...@example.com :
> > [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492]
> > [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG:
> stderr=
> > [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG:
> Cleanup the
> > armor ccache
> > [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG:
> Starting
> > external process
> > [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG:
> > args='/usr/bin/kdestroy' '-A' '-c'
>

Re: [Freeipa-users] sessions failing when using different hostname

2016-06-08 Thread Martin Kosek 
On 06/08/2016 09:42 AM, Jan Pazdziora wrote:
> On Wed, Jun 08, 2016 at 09:29:09AM +0200, Martin Kosek wrote:
>> On 06/01/2016 07:48 PM, Anthony Clark wrote:
>>>
>>> I'm somewhat at a loss to debug this further.  I was wondering if the 
>>> session 
>>> storage is somehow bound to the original host name.  Is there a way to 
>>> check 
>>> and/or configure this?
>>>
>>> Alternatively is there a guide out there for enabling additional host names 
>>> for 
>>> the web UI in FreeIPA?
>>
>> Good question. I see there was no reply for this thread (note that most of 
>> the
>> developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise.
> 
> Karl F. asked similar question a day later and I've provided description
> for this requirement at
> 
>   https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
> 
> The setup does not work all that well for Anthony as mentioned in the
> other thread but we will debug it from here.

Great, thanks! Added the links to
http://www.freeipa.org/page/HowTos#Web_Infrastructure

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sessions failing when using different hostname

2016-06-08 Thread Jan Pazdziora 
On Wed, Jun 08, 2016 at 09:29:09AM +0200, Martin Kosek wrote:
> On 06/01/2016 07:48 PM, Anthony Clark wrote:
> > 
> > I'm somewhat at a loss to debug this further.  I was wondering if the 
> > session 
> > storage is somehow bound to the original host name.  Is there a way to 
> > check 
> > and/or configure this?
> > 
> > Alternatively is there a guide out there for enabling additional host names 
> > for 
> > the web UI in FreeIPA?
> 
> Good question. I see there was no reply for this thread (note that most of the
> developers are finishing FreeIPA 4.4 release) yet, CCing Petr to advise.

Karl F. asked similar question a day later and I've provided description
for this requirement at

https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name

The setup does not work all that well for Anthony as mentioned in the
other thread but we will debug it from here.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] sessions failing when using different hostname

2016-06-08 Thread Martin Kosek 
On 06/01/2016 07:48 PM, Anthony Clark wrote:
> Hello All,
> 
> I've been asked to allow access to our FreeIPA web UI from a more user 
> friendly 
> url than I'm currently using.  So I've set up a CNAME password.example.com 
>  for ns01.example.com 
> 
> At the moment, if I go to the real hostname of the FreeIPA server 
> (ns01.example.com ), everything works.
> 
> If I go to the new "friendly" url (password.example.com 
> ) then upon login I get a "your session has 
> expired 
> please re-login" message.
> 
> Setting debug to true in /etc/ipa/server.conf shows me that the server keeps 
> using new session IDs.  (Host and user names changed to protect the innocent)
> 
> - /var/log/httpd/error_log -
> [Wed Jun 01 17:11:06.237363 2016] [:error] [pid 31491] ipa: DEBUG: WSGI 
> wsgi_dispatch.__call__:
> [Wed Jun 01 17:11:06.237533 2016] [:error] [pid 31491] ipa: DEBUG: WSGI 
> jsonserver_session.__call__:
> [Wed Jun 01 17:11:06.237944 2016] [:error] [pid 31491] ipa: DEBUG: no session 
> cookie found
> [Wed Jun 01 17:11:06.239009 2016] [:error] [pid 31491] ipa: DEBUG: no session 
> id 
> in request, generating empty session data with 
> id=d5bc1c4cab8d3bfaee63b84805147995
> [Wed Jun 01 17:11:06.239466 2016] [:error] [pid 31491] ipa: DEBUG: store 
> session: session_id=d5bc1c4cab8d3bfaee63b84805147995 
> start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Jun 01 17:11:06.241052 2016] [:error] [pid 31491] ipa: DEBUG: 
> jsonserver_session.__call__: session_id=d5bc1c4cab8d3bfaee63b84805147995 
> start_timestamp=2016-06-01T17:11:06 access_timestamp=2016-06-01T17:11:06 
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Jun 01 17:11:06.241186 2016] [:error] [pid 31491] ipa: DEBUG: no ccache, 
> need login
> [Wed Jun 01 17:11:06.241294 2016] [:error] [pid 31491] ipa: DEBUG: 
> jsonserver_session: 401 Unauthorized need login
> [Wed Jun 01 17:11:24.956791 2016] [:error] [pid 31492] ipa: DEBUG: WSGI 
> wsgi_dispatch.__call__:
> [Wed Jun 01 17:11:24.956992 2016] [:error] [pid 31492] ipa: DEBUG: WSGI 
> login_password.__call__:
> [Wed Jun 01 17:11:24.957381 2016] [:error] [pid 31492] ipa: DEBUG: Obtaining 
> armor ccache: principal=HTTP/ns01.example@example.com 
>  keytab=/etc/httpd/conf/ipa.keytab 
> ccache=/var/run/ipa_memcached/krbcc_A_aclark
> [Wed Jun 01 17:11:24.957519 2016] [:error] [pid 31492] ipa: DEBUG: 
> Initializing 
> principal HTTP/ns01.example@example.com 
>  using keytab /etc/httpd/conf/ipa.keytab
> [Wed Jun 01 17:11:24.957633 2016] [:error] [pid 31492] ipa: DEBUG: using 
> ccache 
> /var/run/ipa_memcached/krbcc_A_aclark
> [Wed Jun 01 17:11:24.998328 2016] [:error] [pid 31492] ipa: DEBUG: Attempt 
> 1/1: 
> success
> [Wed Jun 01 17:11:24.998531 2016] [:error] [pid 31492] ipa: DEBUG: 
> Initializing 
> principal acl...@example.com  using password
> [Wed Jun 01 17:11:24.998684 2016] [:error] [pid 31492] ipa: DEBUG: Using 
> armor 
> ccache /var/run/ipa_memcached/krbcc_A_aclark for FAST webauth
> [Wed Jun 01 17:11:24.998865 2016] [:error] [pid 31492] ipa: DEBUG: Starting 
> external process
> [Wed Jun 01 17:11:24.998984 2016] [:error] [pid 31492] ipa: DEBUG: 
> args='/usr/bin/kinit' 'acl...@example.com ' '-c' 
> 'FILE:/var/run/ipa_memcached/krbcc_31492' '-T' 
> '/var/run/ipa_memcached/krbcc_A_aclark'
> [Wed Jun 01 17:11:26.079200 2016] [:error] [pid 31492] ipa: DEBUG: Process 
> finished, return code=0
> [Wed Jun 01 17:11:26.079384 2016] [:error] [pid 31492] ipa: DEBUG: 
> stdout=Password for acl...@example.com :
> [Wed Jun 01 17:11:26.079399 2016] [:error] [pid 31492]
> [Wed Jun 01 17:11:26.079483 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
> [Wed Jun 01 17:11:26.079680 2016] [:error] [pid 31492] ipa: DEBUG: Cleanup 
> the 
> armor ccache
> [Wed Jun 01 17:11:26.079871 2016] [:error] [pid 31492] ipa: DEBUG: Starting 
> external process
> [Wed Jun 01 17:11:26.079983 2016] [:error] [pid 31492] ipa: DEBUG: 
> args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_aclark'
> [Wed Jun 01 17:11:26.093954 2016] [:error] [pid 31492] ipa: DEBUG: Process 
> finished, return code=0
> [Wed Jun 01 17:11:26.094113 2016] [:error] [pid 31492] ipa: DEBUG: stdout=
> [Wed Jun 01 17:11:26.094210 2016] [:error] [pid 31492] ipa: DEBUG: stderr=
> [Wed Jun 01 17:11:26.094809 2016] [:error] [pid 31492] ipa: DEBUG: no session 
> cookie found
> [Wed Jun 01 17:11:26.095877 2016] [:error] [pid 31492] ipa: DEBUG: no session 
> id 
> in request, generating empty session data with 
> id=7ab08ba17d30883cff480af9e923cf82
> [Wed Jun 01 17:11:26.096132 2016] [:error] [pid 31492] ipa: DEBUG: store 
> session: session_id=7ab08ba17d30883cff480af9e923cf82 
>