Bug 1351142 - CLI is not using session cookies for communication with IPA API
Summary: CLI is not using session cookies for communication with IPA API
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-06-29 10:50 UTC by Petr Vobornik
Modified: 2016-11-04 05:55 UTC (History)
6 users (show)

Fixed In Version: ipa-4.4.0-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:55:47 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-06-29 10:50:39 UTC
This bug is created as a clone of upstream ticket:

Every time I run IPA CLI in debug mode it displays `ipa: DEBUG: failed to find session_cookie in persistent storage for principal 'admin@DOM-058-082.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM`.

It does not depend on how many times I run a ipa command during one session.

I'm going to attach logs.

Comment 1 Kaleem 2016-07-21 08:21:32 UTC
Please provide steps to verify this.

Comment 4 Petr Spacek 2016-08-08 11:25:27 UTC
(In reply to Petr Vobornik from comment #0)
> Every time I run IPA CLI in debug mode it displays `ipa: DEBUG: failed to
> find session_cookie in persistent storage for principal

Kaleem, just run ipa command with -vvv option and check that the message is not present anymore.

Comment 5 Xiyang Dong 2016-09-18 13:07:48 UTC
Verified on ipa-server-4.4.0-9.el7:

[root@auto-hv-01-guest02 ~]# ipa -vvv user-find admin 
ipa: INFO: trying https://auto-hv-01-guest02.testrelm.test/ipa/json
ipa: INFO: Forwarding 'user_find/1' to json server 'https://auto-hv-01-guest02.testrelm.test/ipa/json'
ipa: INFO: Request: {
    "id": 0, 
    "method": "user_find/1", 
    "params": [
            "version": "2.212"
send: u'POST /ipa/json HTTP/1.1\r\nHost: auto-hv-01-guest02.testrelm.test\r\nAccept-Encoding: gzip\r\nAccept-Language: en-us\r\nReferer: https://auto-hv-01-guest02.testrelm.test/ipa/xml\r\nAuthorization: negotiate YIICbgYJKoZIhvcSAQICAQBuggJdMIICWaADAgEFoQMCAQ6iBwMFACAAAACjggFuYYIBajCCAWagAwIBBaEPGw1URVNUUkVMTS5URVNUojMwMaADAgEDoSowKBsESFRUUBsgYXV0by1odi0wMS1ndWVzdDAyLnRlc3RyZWxtLnRlc3SjggEXMIIBE6ADAgESoQMCAQKiggEFBIIBAV8aLLfjz/gJb2hj6Rvd10gxSDT7DgMqHbYv/k3pmDJF4w9X6s1knWwb6rYSf0LNGQJf3FkfvmkyMbqOQlbqSDcbsTJDGTEV9aioNE0lopQ+LZ0Fj0F5siRPkoN8167AavNP0b90pCC8eUd3dWfO7zZ44X9Xb4Sgyvog0kbVX/Rj4w+9hBappGUjwQWtDrki2mYgw96yvxYL/9lBmffwuOeclKkSRSaK6e9ExlATMUtXm3tGxZvwPpuDGP0n1tVPIbgJed8nhzTDPb5/Qe7iydD/su8d1hrhKGD40UKE/GWTOS5XRDxdG2lXVYwmr1AwTiID/q2/cjYvQ0wgWWJ3JMP6pIHRMIHOoAMCARKigcYEgcOEJHbidW4xHOMnkFDOSV7mWMEW1mfahCo8ZZ1Q/W8w7aXpH5PNiyLinHwXBLzcxwFnOVr39vCEViGmgsU9n5h1TmoUwyAR/5+7Us6hbAzVhWR4UwVf+PfId2ttnn43hsGGRrpiPLKJcSUdJk1R7SbPiHwVZKD7+a6uaplfYwPiPfVuuSk1IaeYHptGtP90HyvgHPwgO+1/WZYDNZHJlX1YLJLGyElr8Nfl8ovrVuYNbvZCc4bOXO2wWQmTqqla8Phcz2M=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: application/json\r\nContent-Length: 79\r\n\r\n{"params": [["admin"], {"version": "2.212"}], "method": "user_find/1", "id": 0}'
reply: 'HTTP/1.1 200 Success\r\n'
header: Date: Sun, 18 Sep 2016 13:05:03 GMT
header: Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.4.0 mod_nss/1.0.14 NSS/3.21 Basic ECC mod_wsgi/3.4 Python/2.7.5
header: Set-Cookie: ipa_session=c5bb38fe6dcd3d5538b90e30c8f970ff; Domain=auto-hv-01-guest02.testrelm.test; Path=/ipa; Expires=Sun, 18 Sep 2016 13:25:03 GMT; Secure; HttpOnly
header: WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvI16cbGmMuC0sQOhZ96LSMxXmJMEb04/SQrMPMraDzSAD+JhBnSyCO2knCECAWssWbASkU9R5+nmp/2cyRxIPtRr7HfORWJ2h0HiH6iegIyaEieGnN6nn06VcLy7EcLnNK7gD0RgT1fRv3YroLVRB
header: X-Frame-Options: DENY
header: Content-Security-Policy: frame-ancestors 'none'
header: Vary: Accept-Encoding
header: Content-Encoding: gzip
header: Content-Length: 329
header: Content-Type: application/json; charset=utf-8
body: '{\n    "error": null, \n    "id": 0, \n    "principal": "tuser2@TESTRELM.TEST", \n    "result": {\n        "count": 1, \n        "result": [\n            {\n                "dn": "uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test", \n                "gidnumber": [\n                    "1224200000"\n                ], \n                "homedirectory": [\n                    "/home/admin"\n                ], \n                "krbprincipalname": [\n                    "admin@TESTRELM.TEST"\n                ], \n                "loginshell": [\n                    "/bin/bash"\n                ], \n                "nsaccountlock": false, \n                "sn": [\n                    "Administrator"\n                ], \n                "uid": [\n                    "admin"\n                ], \n                "uidnumber": [\n                    "1224200000"\n                ]\n            }\n        ], \n        "summary": "1 user matched", \n        "truncated": false\n    }, \n    "version": "4.4.0"\n}'
ipa: INFO: Response: {
    "error": null, 
    "id": 0, 
    "principal": "tuser2@TESTRELM.TEST", 
    "result": {
        "count": 1, 
        "result": [
                "dn": "uid=admin,cn=users,cn=accounts,dc=testrelm,dc=test", 
                "gidnumber": [
                "homedirectory": [
                "krbprincipalname": [
                "loginshell": [
                "nsaccountlock": false, 
                "sn": [
                "uid": [
                "uidnumber": [
        "summary": "1 user matched", 
        "truncated": false
    "version": "4.4.0"
1 user matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@TESTRELM.TEST
  UID: 1224200000
  GID: 1224200000
  Account disabled: False
Number of entries returned 1

Comment 7 errata-xmlrpc 2016-11-04 05:55:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.