Older clients are also affected by #6718. I noticed the problem when I was testing the vault with FreeIPA 4.4 client and FreeIPA 4.5 server. https://github.com/freeipa/freeipa/pull/532 needs to be backported.
ipa: ERROR: unable to parse cookie header 'ipa_session=MagBearerToken=MiIjMRJWMAl1%2bazkGlIRns2iysA7wxc%2bpSenQtZEMKXSsRAXEcnw2wHEyzOyh8RHgIm5K7YvX1k1tPotRM2ztegX4ODAmOe26%2fP4FLu68AupejDBNmNIENfasrNhUiPowugkkRXBOD%2b%2bsGFFMUZ%2bP7AYPHoW3bE3uN4ftRQwftE11EFTti4a9fVwB4SLKiuU&expiry=1489670819868611;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta'
Metadata Update from @stlaz: - Issue assigned to stlaz
ipa-4-4:
ipa-4-3:
Metadata Update from @tkrizek: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.4.4 - Issue status updated to: Closed (was: Open)
ipa-4-5:
master:
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.4.4)
Ticket is in wrong milestone, moving to 4.3.3
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.3.3 (was: FreeIPA 4.5.1)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1434845
Issue linked to bug 1434845
I think the only way to handle this in the short term is to remove the sessionmaxage setting. I have also a patch to allow concerned admins to reduce the lifetime of tickets when they use password based login by changing a setting in /etc/ipa/default.conf
Login to comment on this ticket.