Hi Martin,
Good points
Web UI
Cannot authenticate to Web UI
Make sure that the user can authenticate in CLI, e.g. with kinit $USER
--> yes the user can ssh to FreeIPA hosts, and can call kinit without
error.
Make sure that httpd, dirsrv and ipa_memcached services on the affected
FreeIPA server are running. --> httpd, slapd and memcached all running
(proved by pgrep -l)
Make sure there are no related SELinux AVCs -- SELinux is disabled
Make sure that cookies are enabled on the client browser --> enabled
Make sure that the time on the FreeIPA server is up to date and there is
no (significant) clock skew (freeipa-users thread) --> no clock skew
Search for any related errors in /var/log/httpd/error_log --> no errors
today
Chris
From: Martin Kosek <mko...@redhat.com>
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Cc: Alexander Bokovoy <aboko...@redhat.com>
Date: 02.02.2016 09:53
Subject: Re: [Freeipa-users] Fw: [Centos7.2 Freeipa 4.2] browser : your
session has expired
On 02/02/2016 09:49 AM, Christopher Lamb wrote:
>
>
> Sorry, Notes is playing up, and sent the last before I could type any
text!
>
> The POST /ipa/session/login_password is successful.
>
> but the POST /ipa/session/json and GET /ipa/session/login_kerberos both
> give 401 unathorized
>
> Chris
Just to make sure we have covered all possible pit holes we have already
gathered on our Troubleshooting page, did check all the advise in this list
http://www.freeipa.org/page/Troubleshooting#Cannot_authenticate_to_Web_UI
?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
