Hi All I may have found a possible cause of our instance of the "Your session has expired" Web UI error on our new FreeIPA 4.1.0 Server
By chance I checked the date on the server hosting FreeIPA 4.1.0. To my surprise, despite running ntpd it was 2 hours in the future! Some moons ago we suffering from clock-skew problems, and had spent a lot of time understanding ntp, and setting up an optimal ntp architecture /config. We were able to completely eliminate clock-skew across all our servers. Digging into the /etc/ntp.conf file I saw that FreeIPA had replaced our 4 NTPD servers with 4 RedHat NTPD servers. Therefore I returned the /etc/ntp.conf file to our default, restarted ntpd, and time was correct again. Subsequent to this (at least at various points today) I have been able to successfully log into the Web UI from Firefox and Safari on OSX, and Firefox on Windows. On both platforms Chrome (not supported) does not work. I confess I have not had the time to return to the FreeIPA ntp config to see if the 2 hour offset + Web UI session problem can be reproduced, so at the moment this remains a credible, but not proven hypothesis. However I guess that 2 hour offset probably comes from the 2 hour difference between UTC and European Summertime. I think it would be great if the changes made by FreeIPA setup to ntp.conf were optional - we care strongly about the content of that file! Cheers Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 27.04.2015 15:36 ----- From: Christopher Lamb/Switzerland/IBM@IBMCH To: freeipa-users@redhat.com Date: 26.04.2015 01:29 Subject: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client. Sent by: freeipa-users-boun...@redhat.com Hi All I too am suffering from the infamous Web ui error “Your session has expired. Please re-login.” using from browser(s) on remote client(s), similar to the existing tickets: https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html We have 2 FreeIPA installations: An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5 The “new” instance, v4.1.0, on a fresh install of OEL 7.0 The error occurs on both instances. I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE etc) Very sporadically one of the above browsers will “let me in” - If I cycle through all the browsers on various workstations / laptops on my desk somtimes I get lucky and one will work. kinit in a ssh session works. SELinux is disabled. All IPA Services are running. I can find no error(s) in /var/log/httpd/error_log In /var/log/krb5kdc.log I get entries like: Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes {rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for HTTP/bsc-ldap2.xxx-xx.xx.xxx....@xxx-xx.xx.xxx.com Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down fd 12 If I enter a wrong password, I correctly get “The password or username you entered is incorrect. “, + errors in /var/log/httpd/error_log None of the browsers have a krb5 ticket installed. I get the error with both my user, and the default admin user. >From the same browsers I can successfully access the Web UI of the public demo on https://ipa.demo1.freeipa.org/ipa/ui/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project