Issue #4898: Unsuccessfull UI authentication when kerberos ticket remaining lifetime is <= 5 minutes - freeipa

freeipa

#4898 Unsuccessfull UI authentication when kerberos ticket remaining lifetime is <= 5 minutes

Closed: wontfix 5 years ago Opened 9 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1186182

Description of problem:
When a kerberos ticket with remaining lifetime of 5 minutes or less, freeIPA
webUI authentication is unsuccessfull while no error message is printed.

Version-Release number of selected component (if applicable):
ipa-admintools-4.1.0-15.el7.x86_64
ipa-client-4.1.0-15.el7.x86_64
ipa-python-4.1.0-15.el7.x86_64
ipa-server-4.1.0-15.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. create a ticket with remaining lifetime of 5 minutes or less: kinit -l 5m
admin
2. check the ticket is valid: klist
3. open freeIPA UI
4. click Login

Actual results:
An "Authenticating" sign flashes, then nothing happens (user is still on
logging screen). No error message appears.

Expected results:
User should be automatically logged in freeIPA or an error message should be
shown.

Additional info:
No kerberos ticket minimum lifetime found in ipa, logging with 5minute ticket
should work.

Kerberos log:
Jan 27 10:10:45 localhost krb5kdc[1021](info): TGS_REQ (6 etypes {18 17 16 23
25 26}) 10.34.47.37: ISSUE: authtime 1422349845, etypes {rep=18 tkt=18 ses=18},
host/vm-037.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM for
ldap/vm-037.idm.lab.eng.brq.redhat.com@IDM.LAB.ENG.BRQ.REDHAT.COM
Jan 27 10:10:45 localhost krb5kdc[1021](info): closing down fd 13

pvoborni commented 9 years ago

It works with 6 minutes.

For 5 minutes, login_kerberos call is successful and therefore UI consider the user as logged in -> no error or warning. The issue is with session expiration. Session expires right away and therefore all subsequent calls ends with 401 Unauthorized errors. Since the user is still on login page, it looks like that nothing happened.

the 5mins threshold comes from ipaserver/rpcserver.py:574 where session expiration is set

   # Account for clock skew and/or give us some time leeway
   krb_expiration = krb_endtime - krb_ticket_expiration_threshold

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

rcritten commented 5 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5 backlog

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1186182

tester

None

changelog

None

design

None

freeipa

Source Code

#4898 Unsuccessfull UI authentication when kerberos ticket remaining lifetime is <= 5 minutes Closed: wontfix 5 years ago Opened 9 years ago by pvoborni.

Metadata

#4898 Unsuccessfull UI authentication when kerberos ticket remaining lifetime is <= 5 minutes

Closed: wontfix 5 years ago Opened 9 years ago by pvoborni.