Bug 1200883

Summary: [RFE] Switch apache to use mod_auth_gssapi
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: medium    
Version: 7.0CC: brian, jcholast, ksiddiqu, mkosek, mnavrati, rcritten, ssorce
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-0.1.alpha1.el7 Doc Type: Release Note
Doc Text:
Negotiate authentication streamlined with *mod_auth_gssapi* Identity Management now uses the *mod_auth_gssapi* module, which uses GSSAPI calls instead of direct Kerberos calls used by the previously used *mod_auth_kerb* module.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:02:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1181710    

Description Martin Kosek 2015-03-11 15:04:19 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4190

mod_auth_gssapi is a new module I am working on to make Negotiate authentication more streamlined.

The main feature for FreeIPA is that it will allow the use of GSS-Proxy for all functionality as it does not use direct libkrb5 calls unlike mod_auth_kerb

It is a precondition for implementing #4189
Comment 1 Jan Cholasta 2015-03-30 13:07:35 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8c72e2efad4e375af55b5a167153f2d1447624d4
https://fedorahosted.org/freeipa/changeset/5a03462bfc94d09192c935b2a158958481d1df01
https://fedorahosted.org/freeipa/changeset/b9657975b790252c952499c1cd40dc6a666d452f
Comment 6 Brian J. Murrell 2015-08-21 11:24:08 UTC 
When is this likely to hit RHEL 7?  This will close bug 1255703, but if this hitting RHEL 7 is still a long way out, I'd like to see bug 1255703 fixed in the meanwhile.
Comment 8 Namita Soman 2015-09-17 17:10:34 UTC 
incorrectly paste above. 

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.2 Beta (Maipo)

# rpm -qi mod_auth_gssapi
Name        : mod_auth_gssapi
Version     : 1.3.1
Release     : 1.el7
Architecture: x86_64
Install Date: Wed 16 Sep 2015 02:07:45 PM EDT
Group       : System Environment/Daemons
Size        : 124842
License     : MIT
Signature   : RSA/SHA256, Wed 09 Sep 2015 11:59:48 AM EDT, Key ID 938a80caf21541eb
Source RPM  : mod_auth_gssapi-1.3.1-1.el7.src.rpm
Build Date  : Thu 03 Sep 2015 03:01:58 PM EDT
Build Host  : x86-036.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/modauthgssapi/mod_auth_gssapi
Summary     : A GSSAPI Authentication module for Apache
Description :
The mod_auth_gssapi module is an authentication service that implements the
SPNEGO based HTTP Authentication protocol defined in RFC4559.
Comment 9 errata-xmlrpc 2015-11-19 12:02:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html