#9624 A missing cccache prevents Kerberos SSO
Closed: fixed 5 months ago by frenaud. Opened 6 months ago by rcritten.

Issue

As seen in https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/R5YP7TIBCLQ3OOF3BFQPOPRYUGVZW4JL/

If you have a valid Kerberos SSO session to the UI and remove the cacches then subsequent Kerboros logins will fail and the user will be dumped to the username/password screen.

Steps to Reproduce

  1. kinit as a user
  2. launch a browser and go to /ipa/ui
  3. in another window as root: rm -rf /run/ipa/ccaches/*
  4. F5 in the browser

Actual behavior

It'll dump you to the login screen

Expected behavior

user should get a new session

Additional info:

A workaround is to remove the IPA server cookies in the browser. Then SSO will work again.

The fix will be to invalidate any ipa_session token. The question is do we always do this or only in certain cases when calling need_login()?


Metadata Update from @rcritten:
- Issue assigned to rcritten

6 months ago

master:

  • 6493757 Force a logout in KerberosSession if a login is needed

ipa-4-12:

  • ffba696 Force a logout in KerberosSession if a login is needed

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7434

5 months ago

Log in to comment on this ticket.

Metadata