Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1186182
Description of problem: When a kerberos ticket with remaining lifetime of 5 minutes or less, freeIPA webUI authentication is unsuccessfull while no error message is printed. Version-Release number of selected component (if applicable): ipa-admintools-4.1.0-15.el7.x86_64 ipa-client-4.1.0-15.el7.x86_64 ipa-python-4.1.0-15.el7.x86_64 ipa-server-4.1.0-15.el7.x86_64 How reproducible: always Steps to Reproduce: 1. create a ticket with remaining lifetime of 5 minutes or less: kinit -l 5m admin 2. check the ticket is valid: klist 3. open freeIPA UI 4. click Login Actual results: An "Authenticating" sign flashes, then nothing happens (user is still on logging screen). No error message appears. Expected results: User should be automatically logged in freeIPA or an error message should be shown. Additional info: No kerberos ticket minimum lifetime found in ipa, logging with 5minute ticket should work. Kerberos log: Jan 27 10:10:45 localhost krb5kdc[1021](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.34.47.37: ISSUE: authtime 1422349845, etypes {rep=18 tkt=18 ses=18}, host/vm-037.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM for ldap/vm-037.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM Jan 27 10:10:45 localhost krb5kdc[1021](info): closing down fd 13
It works with 6 minutes.
For 5 minutes, login_kerberos call is successful and therefore UI consider the user as logged in -> no error or warning. The issue is with session expiration. Session expires right away and therefore all subsequent calls ends with 401 Unauthorized errors. Since the user is still on login page, it looks like that nothing happened.
login_kerberos
the 5mins threshold comes from ipaserver/rpcserver.py:574 where session expiration is set
# Account for clock skew and/or give us some time leeway krb_expiration = krb_endtime - krb_ticket_expiration_threshold
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.