[Freeipa-users] Web login problems

Simo Sorce simo at redhat.com
Thu Oct 8 01:57:23 UTC 2015 

On 07/10/15 13:36, Pat Gunn wrote:
> Hi,
> I'm trying to build a cluster of 3 IPA (staging at this point, but
> eventually later I'll make a prod version)
> systems (that will reside in AWS) that will manage select systems in our
> infrastructure (mostly but not entirely in AWS).
> The systems will be fronted (like most of our infrastructure) with a
> load-balancer that manages pooling and SSL termination; we'd like
> freeipa-staging.corp.$ORGNAME.com to be the access point, and the LB will
> then route that to a specific one of the three servers based on pool
> settings).

Please read this before you proceed with your LB plan:
http://ssimo.org/blog/id_019.html

HTH,
Simo.


> The systems are running CentOS7 and have the RPM-bundled version of FreeIPA
> (4.1.0). Our three IPA servers are named
> freeipa-staging-[123].vpc3.$INTERNALNAME.cc - the servers that will be
> managed by this will have a variety of names and locations (and
> $INTERNALNAME differs from $ORGNAME but both are valid DNSnames)
>
> After running ipa-server-install on the first box (no integrated DNS
> enabled, realmname is IPA-STAGING.$ORGNAME.ORG), I modified the
> ipa-rewrite.conf to trim it down to this:
> RewriteEngine on
> RewriteRule ^/$ /ipa/ui [L,NC,R=301]
> RewriteRule ^/ipa/ui/js/freeipa/plugins.js$    /ipa/wsgi/plugins.py [PT]
>
>
> After the stack starts, I can kinit and run commands. Everything looks
> good. The WebUI isn't working for me though - when I enter admin and the
> password, I get "Your session has expired. Please re-login". By contrast,
> when I give the wrong password, it tells me it's wrong.
>
> After enabling debugging in ipa.conf, this is what I get from the httpd
> error log:
>
> [Wed Oct 07 17:29:50.370982 2015] [:error] [pid 3000] ipa: DEBUG: WSGI
> wsgi_dispatch.__call__:
> [Wed Oct 07 17:29:50.371088 2015] [:error] [pid 3000] ipa: DEBUG: WSGI
> login_password.__call__:
> [Wed Oct 07 17:29:50.371438 2015] [:error] [pid 3000] ipa: DEBUG: Obtaining
> armor ccache: principal=HTTP/
> freeipa-staging-1.vpc3.INTERNALNAME.cc at IPA-STAGING.ORGNAME.ORG
> keytab=/etc/httpd/conf/ipa.keytab
> ccache=/var/run/ipa_memcached/krbcc_A_admin
> [Wed Oct 07 17:29:50.371534 2015] [:error] [pid 3000] ipa: DEBUG: Starting
> external process
> [Wed Oct 07 17:29:50.371596 2015] [:error] [pid 3000] ipa: DEBUG:
> args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/
> freeipa-staging-1.vpc3.INTERNALNAME.cc at IPA-STAGING.ORGNAME.ORG'
> [Wed Oct 07 17:29:50.415134 2015] [:error] [pid 3000] ipa: DEBUG: Process
> finished, return code=0
> [Wed Oct 07 17:29:50.415223 2015] [:error] [pid 3000] ipa: DEBUG: stdout=
> [Wed Oct 07 17:29:50.415276 2015] [:error] [pid 3000] ipa: DEBUG: stderr=
> [Wed Oct 07 17:29:50.415395 2015] [:error] [pid 3000] ipa: DEBUG: Starting
> external process
> [Wed Oct 07 17:29:50.415458 2015] [:error] [pid 3000] ipa: DEBUG:
> args='/usr/bin/kinit' 'admin at IPA-STAGING.ORGNAME.ORG' '-T'
> '/var/run/ipa_memcached/krbcc_A_admin'
> [Wed Oct 07 17:29:50.486981 2015] [:error] [pid 3000] ipa: DEBUG: Process
> finished, return code=0
> [Wed Oct 07 17:29:50.487072 2015] [:error] [pid 3000] ipa: DEBUG:
> stdout=Password for admin at IPA-STAGING.ORGNAME.ORG:
> [Wed Oct 07 17:29:50.487079 2015] [:error] [pid 3000]
> [Wed Oct 07 17:29:50.487129 2015] [:error] [pid 3000] ipa: DEBUG: stderr=
> [Wed Oct 07 17:29:50.487228 2015] [:error] [pid 3000] ipa: DEBUG: kinit:
> principal=admin at IPA-STAGING.ORGNAME.ORG returncode=0, stderr=""
> [Wed Oct 07 17:29:50.487281 2015] [:error] [pid 3000] ipa: DEBUG: Cleanup
> the armor ccache
> [Wed Oct 07 17:29:50.487356 2015] [:error] [pid 3000] ipa: DEBUG: Starting
> external process
> [Wed Oct 07 17:29:50.487406 2015] [:error] [pid 3000] ipa: DEBUG:
> args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin'
> [Wed Oct 07 17:29:50.500419 2015] [:error] [pid 3000] ipa: DEBUG: Process
> finished, return code=0
> [Wed Oct 07 17:29:50.500496 2015] [:error] [pid 3000] ipa: DEBUG: stdout=
> [Wed Oct 07 17:29:50.500547 2015] [:error] [pid 3000] ipa: DEBUG: stderr=
> [Wed Oct 07 17:29:50.501180 2015] [:error] [pid 3000] ipa: DEBUG: no
> session cookie found
> [Wed Oct 07 17:29:50.501501 2015] [:error] [pid 3000] ipa: DEBUG: no
> session id in request, generating empty session data with
> id=738fef28e7a985fe8f01e0fc2a1c8e7d
> [Wed Oct 07 17:29:50.501607 2015] [:error] [pid 3000] ipa: DEBUG: store
> session: session_id=738fef28e7a985fe8f01e0fc2a1c8e7d
> start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Oct 07 17:29:50.501908 2015] [:error] [pid 3000] ipa: DEBUG:
> finalize_kerberos_acquisition: login_password
> ccache_name="FILE:/var/run/ipa_memcached/krbcc_3000"
> session_id="738fef28e7a985fe8f01e0fc2a1c8e7d"
> [Wed Oct 07 17:29:50.501978 2015] [:error] [pid 3000] ipa: DEBUG: reading
> ccache data from file "/var/run/ipa_memcached/krbcc_3000"
> [Wed Oct 07 17:29:50.502358 2015] [:error] [pid 3000] ipa: DEBUG:
> get_credential_times: principal=krbtgt/
> IPA-STAGING.ORGNAME.ORG at IPA-STAGING.ORGNAME.ORG, authtime=10/07/15
> 17:29:50, starttime=10/07/15 17:29:50, endtime=10/08/15 17:29:50,
> renew_till=01/01/70 00:00:00
> [Wed Oct 07 17:29:50.502436 2015] [:error] [pid 3000] ipa: DEBUG:
> KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_3000 endtime=1444325390
> (10/08/15 17:29:50)
> [Wed Oct 07 17:29:50.502532 2015] [:error] [pid 3000] ipa: DEBUG:
> set_session_expiration_time: duration_type=inactivity_timeout duration=1200
> max_age=1444325090 expiration=1444240190.5 (2015-10-07T17:49:50)
> [Wed Oct 07 17:29:50.502609 2015] [:error] [pid 3000] ipa: DEBUG: store
> session: session_id=738fef28e7a985fe8f01e0fc2a1c8e7d
> start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
> expiration_timestamp=2015-10-07T17:49:50
> [Wed Oct 07 17:29:50.502971 2015] [:error] [pid 3000] ipa: DEBUG:
> release_ipa_ccache: KRB5CCNAME environment variable not set
> [Wed Oct 07 17:29:50.612016 2015] [:error] [pid 3001] ipa: DEBUG: WSGI
> wsgi_dispatch.__call__:
> [Wed Oct 07 17:29:50.612125 2015] [:error] [pid 3001] ipa: DEBUG: WSGI
> jsonserver_session.__call__:
> [Wed Oct 07 17:29:50.612684 2015] [:error] [pid 3001] ipa: DEBUG: no
> session cookie found
> [Wed Oct 07 17:29:50.613018 2015] [:error] [pid 3001] ipa: DEBUG: no
> session id in request, generating empty session data with
> id=f723f440100b47e72675fa0e3cd9e87f
> [Wed Oct 07 17:29:50.613118 2015] [:error] [pid 3001] ipa: DEBUG: store
> session: session_id=f723f440100b47e72675fa0e3cd9e87f
> start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Oct 07 17:29:50.613387 2015] [:error] [pid 3001] ipa: DEBUG:
> jsonserver_session.__call__: session_id=f723f440100b47e72675fa0e3cd9e87f
> start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50
> expiration_timestamp=1970-01-01T00:00:00
> [Wed Oct 07 17:29:50.613441 2015] [:error] [pid 3001] ipa: DEBUG: no
> ccache, need login
> [Wed Oct 07 17:29:50.613492 2015] [:error] [pid 3001] ipa: DEBUG:
> jsonserver_session: 401 Unauthorized need login
>
> Any ideas? The webUI will normally need to be used by people on systems
> that are not managed by FreeIPA (this is meant to manage our server
> infrastructure, not our workstations), but as far as I can tell
> username/password auth should work?
>
>
>


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list