On su, 09 touko 2021, Harry G. Coin via FreeIPA-users wrote:
On f34, freeipa-server 4.9.3-2: Upon choosing any action using a
logged-in UI that has been left idle for some hours, browsers lock a
display 'internal server error' (at least on firefox) instead of a
log-in page, or the desired page. No actions on the server side will
clear it. The only work-around is to delete the browser cookies and
cached data, and after navigating to the UI the login page appears normally.
It looks like the cache entry for user authentication which is stored
encrypted on the server side cannot be decrypted anymore. This might
happen when you have rebooted a server between authenticating the user
and its session's expiration. There are two keys here:
- mod_auth_gssapi uses ipasession.key (in /etc/httpd/alias in Fedora)
for encrypting the cookie session
- GSS-Proxy uses own service keytab or an in-memory key to encrypt
Kerberos credentials in a ccache generated and stored on the server
which corresponds to the content stored in the cookie session
If you'd restart GSS-Proxy or reboot the system, the ccache generated
and stored on the server side by GSS-Proxy would not be possible to
decrypt in case an ephemeral in-memory key was used.
Can you enable IPA server-side debugging in case this happens to see if
we can handle an error from mod_auth_gssapi better?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland