Bug 1053730

Summary: KrbLocalUserMapping does not work with Apache & GSS-Proxy
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: gssproxyAssignee: Simo Sorce <ssorce>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: dpal, eguan, jpazdziora, ksiddiqu, nalin, qcai
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gssproxy-0.4.1-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 09:30:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
console output with steps none

Description Dmitri Pal 2014-01-15 17:03:44 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/gss-proxy/ticket/101

When attempting to enable GSS-Proxy & [wiki:Apache], I find that the '''!KrbLocalUserMapping''' configuration option does not work.  This is an imporant part of the configuration options, as not all web applications properly support '''!username''' style usernames, so I need to be able to say '''Require user username''' instead of '''Require user !username''' in some cases. I'm using gssproxy-0.2.3-6.fc19.1.x86_64, httpd-2.4.6-2.fc19.x86_64 and mod_auth_kerb-5.4-24.fc19.x86_64.

{{{
<Location /redacted>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Login"
  KrbAuthoritative On
  KrbLocalUserMapping On
  KrbServiceName HTTP/example.com
  Require user username
</Location>
}}}

{{{
AH01631: user username\x02s: authorization failure for /redacted
AH01663: access to /redacted failed, reason: user 'username\x02' does not meet 'require'ments for user to be allowed access
AH01631: user username\x02: authorization failure for "/redacted": 
AH01663: access to /redacted failed, reason: user 'username\x02IN1' does not meet 'require'ments for user to be allowed access
AH01631: user username\x02IN1: authorization failure for "/redacted": 
AH01663: access to /redacted failed, reason: user 'username\x7f' does not meet 'require'ments for user to be allowed access
AH01631: user username\x7f: authorization failure for "/redacted": 
AH01663: access to /redacted failed, reason: user 'username\x02' does not meet 'require'ments for user to be allowed access
}}}
Comment 1 Dmitri Pal 2014-01-16 15:55:41 UTC 
I suggest we do SanityOnly testing on this one for RHEL 7.0. It will be tested indirectly by the solutions on top of RHEL7. The problem is that we can't even create these solutions since it is not working and preventing us to create repeatable setups and guidelines for the layered products to follow.
Comment 10 Roland Mainz 2015-07-10 01:03:20 UTC 
Fixed in gssproxy-0.4.1-2.el7 ...

... marking bug as MODIFIED.
Comment 12 Kaleem 2015-08-25 05:55:21 UTC 
Verified

gssproxy version:
=================
[root@dhcp207-24 ~]# rpm -q gssproxy ipa-client mod_auth_kerb
gssproxy-0.4.1-6.el7.x86_64
ipa-client-4.2.0-5.el7.x86_64
mod_auth_kerb-5.4-28.el7.x86_64
[root@dhcp207-24 ~]#

Please find the attached console output for verification steps.
Comment 13 Kaleem 2015-08-25 05:55:54 UTC 
Created attachment 1066735 [details]
console output with steps
Comment 16 errata-xmlrpc 2015-11-19 09:30:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2298.html