*** Bug 805270 has been marked as a duplicate of this bug. ***

*** Bug 768159 has been marked as a duplicate of this bug. ***

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/54135ecd9a96f59429cfd535f3add282b535d3e3

Testing info taken from the upstream ticket:

This should be invisible to the user.

Use the keyctl command to list your keys:

$ keyctl list @s
2 keys in keyring:
353548226: --alswrv  1000    -1 keyring: _uid.1000
941350591: --alswrv  1000  1000 user: ipa_session_cookie

To remove a key:

$ keyctl unlink 941350591 @s 

Some things to test:

Single IPA server
1. Multiple IPA servers w/SRV records
2. Multiple IPA servers w/SRV records, bring primary down
3. After creating a session restart ipa_memcached on server and ensure that a new session is eventually created
4. Use the -vv option to ipa to see the request conversation, e.g. ipa -vv user-show admin

You should see a request go to /ipa/session/xml, respond with a 401, then go to /ipa/xml. All subsequent requests should go to /ipa/session/xml and have the cookie accepted.

The xmlrpclib.py in Python 2.6 is different enough from 2.7 that this is going to require a patch.

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3022

Another issue we noticed is that we are not sending a correct cookie back to the server, we're including extraneous cookie information from the browser only Set-Cookie header. We should only be sending the cookie value (e.g. ipa_session=xxxxxxxxxxxxxxxx). 

You can see this when using a session:

$ ipa -vv user-show admin

You'll see the Cookie header in the POST request output.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html