> -----Original Message----- > From: Petr Vobornik [mailto:[email protected]] > Sent: 19 April 2016 15:26 > To: Mitchell, Stuart <[email protected]>; [email protected] > Subject: Re: [Freeipa-users] Web Interface issues on Free-IPA 3.0.0-47/ LDAP > Sync issues > > On 04/19/2016 03:35 PM, Mitchell, Stuart wrote: > > Hello, > > > > We are having issues with the web interface on our free-ipa servers. When > we try and login to the GUI is reports that the session has timed out. We > have checked the date and time is synced with NTP. We have restarted the > IPA services and same issues occur. We have 4 Free-IPA servers all > configured as masters, all 4 show the same web gui login issues. 3 of the > servers replicate the database from the primary Free-IPA server which > connects to the AD domain using winsync. We cannot upgrade to a newer > version of Free-IPA and looking at previous mailing list entries version 4 has > the same issues crop up. I have followed the steps that were suggested for > version 4 and nothing is resolving the login issues to the WebGUI. We can > administer the users and hosts from the command line without issues. > > > > We also are seeing issues on one of the IPA servers that will not sync with > the primary master server. When we try to force a sync we get an error > "Update Failed! Status : [ -1 . LDAP server is not contactable", when we see > expect to see "Update Successful". > > This appears after multiple "Update in progress" messages are shown ( > the command we are using is "ipa-replica-manage re-initialize -from <primary > master>" ). When we have the services running on the failing server it stops > users being able to login into clients that authenticate from that failing > Free- > IPA server. Once we stop the IPA services on the failing server the issues > clear up. > > If we use the "ipa user-status <username>" command we can see failed > login attempts on the server we cannot re-initialize. > > > > These servers have been running for at least 6 months without any issues, > so network ports between them are all open. > > > > > > Regards > > > > Stuart > > > > "session has timed out." usually means that there is an issue with > authentications. In recent(fedora, upstream) IPA versions the message was > improved so that it distinguishes reasons better. > > I would try to login to ipa with a new "private"/"incognito" window of a > browser to try to login without any existing cookies. > > If login attempt succeeds then it might indicate a bug which was fixed > upstream recently. > > If it doesn't help, then enable debug level on a server > https://www.freeipa.org/page/Troubleshooting#Administration_Framewor > k > and examine/send sanitized snippet of /var/log/httpd/error_log which is > relevant to the authentication attempt. > -- > Petr Vobornik
Thanks Petr, Going incognito has resolved the session errors with logging into the webgui. Regards Stuart -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
