12:14 p.m.
Hello all,
I'm wondering if anyone could help shed light on why IPA CLI commands
fail for a trusted AD user, and why Web UI logins for the same user
fail with the message "Your session has expired. Please re-login.",
despite creating a view for the user via `ipa idoverrideuser-add
'Default Trust View' ad_user(a)ad_domain.com`. The symptoms appear
almost identical to the post [0], except that the cli and Web UI were
never working previously.
I am able to login via SSH (on a host with an HBAC configured), and
able to `kinit` and obtain the appropriate tickets across the realms.
I've configured the system accordingly, per the URL:
https://www.freeipa.org/page/Active_Directory_trust_setup.
I am running FreeIPA version 4.6.4 with a successful AD Trust (one
way) using the range type "ipa-ad-trust-posix", both nodes completely
re-provisioned (fresh installation purposes). SELinux is disabled,
and the configuration IPA-wise is untouched, with the exception of
enabling debugging and editing krb5.conf per the URL:
https://www.freeipa.org/page/Active_Directory_trust_setup#Edit_.2Fetc.2Fk...
I've attached Apache logs referencing the Web UI and from the console.
From what I have found online, it should be possible to allow an AD
user to login to Web UI and ipa CLI commands should function, too.
All IPA services are running and have been restarted, just in case
something was "stuck". The interesting entries within the logs:
(Failed to unseal session data!, GSSapiImpersonate not On) seem to be
red herrings.
Thanks for any assistance!
John DeSantis
[0]
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...