Re: [Freeipa-users] Web login problems
On 7/10/15 21:57, Simo Sorce wrote: >On 07/10/15 13:36, Pat Gunn wrote: Hi, I'm trying to build a cluster of 3 IPA (staging at this point, but eventually later I'll make a prod version) systems (that will reside in AWS) that will manage select systems in our infrastructure (mostly but not entirely in AWS). The systems will be fronted (like most of our infrastructure) with a load-balancer that manages pooling and SSL termination; we'd like freeipa-staging.corp.$ORGNAME.com to be the access point, and the LB will then route that to a specific one of the three servers based on pool settings). >Please read this before you proceed with your LB plan: >http://ssimo.org/blog/id_019.html > >HTH, >Simo. Hi, I spoke imprecisely. In our hoped-for design, our LB will front access to the web interface for FreeIPA (to manage accounts when needed), but the systems that will use FreeIPA for auth will be contacting the servers directly (we care much more about the LDAP functionality and the GUI than anything else, FWIW). I think I at least identified the initial problem we're having - when the auth is first posted, it succeeds, and the server sends a Set-Cookie for ipa_session that unfortunately includes "Domain=" equivalent to the hostname. This seems unaffected by the Tomcat convention for specifying a proxy as well as setting the host in Apache. I could tell our LB to rewrite that cookie as it comes out of the pool, but I'm hoping to figure out how to get FreeIPA's WebUI to not set the Domain for that cookie or to set it to a specified value, and to do that for only the WebUI. I'm hoping our desired use case and existing infrastructure style isn't incompatible with what FreeIPA is designed for. Any thoughts on that or advice on getting that cookie sent as we like? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web login problems
On 07/10/15 13:36, Pat Gunn wrote: Hi, I'm trying to build a cluster of 3 IPA (staging at this point, but eventually later I'll make a prod version) systems (that will reside in AWS) that will manage select systems in our infrastructure (mostly but not entirely in AWS). The systems will be fronted (like most of our infrastructure) with a load-balancer that manages pooling and SSL termination; we'd like freeipa-staging.corp.$ORGNAME.com to be the access point, and the LB will then route that to a specific one of the three servers based on pool settings). Please read this before you proceed with your LB plan: http://ssimo.org/blog/id_019.html HTH, Simo. The systems are running CentOS7 and have the RPM-bundled version of FreeIPA (4.1.0). Our three IPA servers are named freeipa-staging-[123].vpc3.$INTERNALNAME.cc - the servers that will be managed by this will have a variety of names and locations (and $INTERNALNAME differs from $ORGNAME but both are valid DNSnames) After running ipa-server-install on the first box (no integrated DNS enabled, realmname is IPA-STAGING.$ORGNAME.ORG), I modified the ipa-rewrite.conf to trim it down to this: RewriteEngine on RewriteRule ^/$ /ipa/ui [L,NC,R=301] RewriteRule ^/ipa/ui/js/freeipa/plugins.js$/ipa/wsgi/plugins.py [PT] After the stack starts, I can kinit and run commands. Everything looks good. The WebUI isn't working for me though - when I enter admin and the password, I get "Your session has expired. Please re-login". By contrast, when I give the wrong password, it tells me it's wrong. After enabling debugging in ipa.conf, this is what I get from the httpd error log: [Wed Oct 07 17:29:50.370982 2015] [:error] [pid 3000] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Oct 07 17:29:50.371088 2015] [:error] [pid 3000] ipa: DEBUG: WSGI login_password.__call__: [Wed Oct 07 17:29:50.371438 2015] [:error] [pid 3000] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/ freeipa-staging-1.vpc3.internalname...@ipa-staging.orgname.org keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_admin [Wed Oct 07 17:29:50.371534 2015] [:error] [pid 3000] ipa: DEBUG: Starting external process [Wed Oct 07 17:29:50.371596 2015] [:error] [pid 3000] ipa: DEBUG: args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/ freeipa-staging-1.vpc3.internalname...@ipa-staging.orgname.org' [Wed Oct 07 17:29:50.415134 2015] [:error] [pid 3000] ipa: DEBUG: Process finished, return code=0 [Wed Oct 07 17:29:50.415223 2015] [:error] [pid 3000] ipa: DEBUG: stdout= [Wed Oct 07 17:29:50.415276 2015] [:error] [pid 3000] ipa: DEBUG: stderr= [Wed Oct 07 17:29:50.415395 2015] [:error] [pid 3000] ipa: DEBUG: Starting external process [Wed Oct 07 17:29:50.415458 2015] [:error] [pid 3000] ipa: DEBUG: args='/usr/bin/kinit' 'ad...@ipa-staging.orgname.org' '-T' '/var/run/ipa_memcached/krbcc_A_admin' [Wed Oct 07 17:29:50.486981 2015] [:error] [pid 3000] ipa: DEBUG: Process finished, return code=0 [Wed Oct 07 17:29:50.487072 2015] [:error] [pid 3000] ipa: DEBUG: stdout=Password for ad...@ipa-staging.orgname.org: [Wed Oct 07 17:29:50.487079 2015] [:error] [pid 3000] [Wed Oct 07 17:29:50.487129 2015] [:error] [pid 3000] ipa: DEBUG: stderr= [Wed Oct 07 17:29:50.487228 2015] [:error] [pid 3000] ipa: DEBUG: kinit: principal=ad...@ipa-staging.orgname.org returncode=0, stderr="" [Wed Oct 07 17:29:50.487281 2015] [:error] [pid 3000] ipa: DEBUG: Cleanup the armor ccache [Wed Oct 07 17:29:50.487356 2015] [:error] [pid 3000] ipa: DEBUG: Starting external process [Wed Oct 07 17:29:50.487406 2015] [:error] [pid 3000] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin' [Wed Oct 07 17:29:50.500419 2015] [:error] [pid 3000] ipa: DEBUG: Process finished, return code=0 [Wed Oct 07 17:29:50.500496 2015] [:error] [pid 3000] ipa: DEBUG: stdout= [Wed Oct 07 17:29:50.500547 2015] [:error] [pid 3000] ipa: DEBUG: stderr= [Wed Oct 07 17:29:50.501180 2015] [:error] [pid 3000] ipa: DEBUG: no session cookie found [Wed Oct 07 17:29:50.501501 2015] [:error] [pid 3000] ipa: DEBUG: no session id in request, generating empty session data with id=738fef28e7a985fe8f01e0fc2a1c8e7d [Wed Oct 07 17:29:50.501607 2015] [:error] [pid 3000] ipa: DEBUG: store session: session_id=738fef28e7a985fe8f01e0fc2a1c8e7d start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50 expiration_timestamp=1970-01-01T00:00:00 [Wed Oct 07 17:29:50.501908 2015] [:error] [pid 3000] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name="FILE:/var/run/ipa_memcached/krbcc_3000" session_id="738fef28e7a985fe8f01e0fc2a1c8e7d" [Wed Oct 07 17:29:50.501978 2015] [:error] [pid 3000] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_3000" [Wed Oct 07 17:29:50.502358 2015] [:error] [pid 3000] ipa: DEBUG: get_credential_times: principal=krbtgt/ ipa-staging.orgname@ipa-staging.orgname.org, authtime=10/07/15 17:29:50, starttime=10/07/15 17:29:50, endtime=10/08/15 17:29:50, r
[Freeipa-users] Web login problems
Hi, I'm trying to build a cluster of 3 IPA (staging at this point, but eventually later I'll make a prod version) systems (that will reside in AWS) that will manage select systems in our infrastructure (mostly but not entirely in AWS). The systems will be fronted (like most of our infrastructure) with a load-balancer that manages pooling and SSL termination; we'd like freeipa-staging.corp.$ORGNAME.com to be the access point, and the LB will then route that to a specific one of the three servers based on pool settings). The systems are running CentOS7 and have the RPM-bundled version of FreeIPA (4.1.0). Our three IPA servers are named freeipa-staging-[123].vpc3.$INTERNALNAME.cc - the servers that will be managed by this will have a variety of names and locations (and $INTERNALNAME differs from $ORGNAME but both are valid DNSnames) After running ipa-server-install on the first box (no integrated DNS enabled, realmname is IPA-STAGING.$ORGNAME.ORG), I modified the ipa-rewrite.conf to trim it down to this: RewriteEngine on RewriteRule ^/$ /ipa/ui [L,NC,R=301] RewriteRule ^/ipa/ui/js/freeipa/plugins.js$/ipa/wsgi/plugins.py [PT] After the stack starts, I can kinit and run commands. Everything looks good. The WebUI isn't working for me though - when I enter admin and the password, I get "Your session has expired. Please re-login". By contrast, when I give the wrong password, it tells me it's wrong. After enabling debugging in ipa.conf, this is what I get from the httpd error log: [Wed Oct 07 17:29:50.370982 2015] [:error] [pid 3000] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Wed Oct 07 17:29:50.371088 2015] [:error] [pid 3000] ipa: DEBUG: WSGI login_password.__call__: [Wed Oct 07 17:29:50.371438 2015] [:error] [pid 3000] ipa: DEBUG: Obtaining armor ccache: principal=HTTP/ freeipa-staging-1.vpc3.internalname...@ipa-staging.orgname.org keytab=/etc/httpd/conf/ipa.keytab ccache=/var/run/ipa_memcached/krbcc_A_admin [Wed Oct 07 17:29:50.371534 2015] [:error] [pid 3000] ipa: DEBUG: Starting external process [Wed Oct 07 17:29:50.371596 2015] [:error] [pid 3000] ipa: DEBUG: args='/usr/bin/kinit' '-kt' '/etc/httpd/conf/ipa.keytab' 'HTTP/ freeipa-staging-1.vpc3.internalname...@ipa-staging.orgname.org' [Wed Oct 07 17:29:50.415134 2015] [:error] [pid 3000] ipa: DEBUG: Process finished, return code=0 [Wed Oct 07 17:29:50.415223 2015] [:error] [pid 3000] ipa: DEBUG: stdout= [Wed Oct 07 17:29:50.415276 2015] [:error] [pid 3000] ipa: DEBUG: stderr= [Wed Oct 07 17:29:50.415395 2015] [:error] [pid 3000] ipa: DEBUG: Starting external process [Wed Oct 07 17:29:50.415458 2015] [:error] [pid 3000] ipa: DEBUG: args='/usr/bin/kinit' 'ad...@ipa-staging.orgname.org' '-T' '/var/run/ipa_memcached/krbcc_A_admin' [Wed Oct 07 17:29:50.486981 2015] [:error] [pid 3000] ipa: DEBUG: Process finished, return code=0 [Wed Oct 07 17:29:50.487072 2015] [:error] [pid 3000] ipa: DEBUG: stdout=Password for ad...@ipa-staging.orgname.org: [Wed Oct 07 17:29:50.487079 2015] [:error] [pid 3000] [Wed Oct 07 17:29:50.487129 2015] [:error] [pid 3000] ipa: DEBUG: stderr= [Wed Oct 07 17:29:50.487228 2015] [:error] [pid 3000] ipa: DEBUG: kinit: principal=ad...@ipa-staging.orgname.org returncode=0, stderr="" [Wed Oct 07 17:29:50.487281 2015] [:error] [pid 3000] ipa: DEBUG: Cleanup the armor ccache [Wed Oct 07 17:29:50.487356 2015] [:error] [pid 3000] ipa: DEBUG: Starting external process [Wed Oct 07 17:29:50.487406 2015] [:error] [pid 3000] ipa: DEBUG: args='/usr/bin/kdestroy' '-A' '-c' '/var/run/ipa_memcached/krbcc_A_admin' [Wed Oct 07 17:29:50.500419 2015] [:error] [pid 3000] ipa: DEBUG: Process finished, return code=0 [Wed Oct 07 17:29:50.500496 2015] [:error] [pid 3000] ipa: DEBUG: stdout= [Wed Oct 07 17:29:50.500547 2015] [:error] [pid 3000] ipa: DEBUG: stderr= [Wed Oct 07 17:29:50.501180 2015] [:error] [pid 3000] ipa: DEBUG: no session cookie found [Wed Oct 07 17:29:50.501501 2015] [:error] [pid 3000] ipa: DEBUG: no session id in request, generating empty session data with id=738fef28e7a985fe8f01e0fc2a1c8e7d [Wed Oct 07 17:29:50.501607 2015] [:error] [pid 3000] ipa: DEBUG: store session: session_id=738fef28e7a985fe8f01e0fc2a1c8e7d start_timestamp=2015-10-07T17:29:50 access_timestamp=2015-10-07T17:29:50 expiration_timestamp=1970-01-01T00:00:00 [Wed Oct 07 17:29:50.501908 2015] [:error] [pid 3000] ipa: DEBUG: finalize_kerberos_acquisition: login_password ccache_name="FILE:/var/run/ipa_memcached/krbcc_3000" session_id="738fef28e7a985fe8f01e0fc2a1c8e7d" [Wed Oct 07 17:29:50.501978 2015] [:error] [pid 3000] ipa: DEBUG: reading ccache data from file "/var/run/ipa_memcached/krbcc_3000" [Wed Oct 07 17:29:50.502358 2015] [:error] [pid 3000] ipa: DEBUG: get_credential_times: principal=krbtgt/ ipa-staging.orgname@ipa-staging.orgname.org, authtime=10/07/15 17:29:50, starttime=10/07/15 17:29:50, endtime=10/08/15 17:29:50, renew_till=01/01/70 00:00:00 [Wed Oct 07 17:29:50.502436 2015] [:error] [pid 3000] ipa: DEBUG: KRB5_CCache FILE:/var/run/ipa_memcached/krbcc_30