On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
On f34, freeipa-server 4.9.3-2: Upon choosing any action using a logged-in UI that has been left idle for some hours, browsers lock a display 'internal server error' (at least on firefox) instead of a log-in page, or the desired page. No actions on the server side will clear it. The only work-around is to delete the browser cookies and cached data, and after navigating to the UI the login page appears normally.
It looks like the cache entry for user authentication which is stored encrypted on the server side cannot be decrypted anymore. This might happen when you have rebooted a server between authenticating the user and its session's expiration. There are two keys here: - mod_auth_gssapi uses ipasession.key (in /etc/httpd/alias in Fedora) for encrypting the cookie session - GSS-Proxy uses own service keytab or an in-memory key to encrypt Kerberos credentials in a ccache generated and stored on the server which corresponds to the content stored in the cookie session If you'd restart GSS-Proxy or reboot the system, the ccache generated and stored on the server side by GSS-Proxy would not be possible to decrypt in case an ephemeral in-memory key was used. Can you enable IPA server-side debugging in case this happens to see if we can handle an error from mod_auth_gssapi better? -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
