Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1324536

Summary: Installing mod_auth_mellon causes working Kerberos authentication to start failing
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: mod_auth_mellonAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: arubin, jdennis, jpazdziora, ksiddiqu, nkinder, nsoman, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_auth_mellon-0.11.0-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1317019 Environment:
Last Closed: 2016-11-04 06:46:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1317019    
Bug Blocks:    

Description Jan Pazdziora (Red Hat) 2016-04-06 14:47:05 UTC 
+++ This bug was initially created as a clone of Bug #1317019 +++

Description of problem:

When mod_auth_mellon package is installed to a working Apache HTTP Server with Kerberos authentication, the Kerberos authentication stops working even if mod_auth_mellon was not configured in any way.

Version-Release number of selected component (if applicable):

mod_auth_mellon-0.8.0-4.el6.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Apache HTTP Server configured with mod_auth_kerb.
2. Verify that kinit as some user and curl -Lksi --negotiate -u : returns 401 and then 200, something like

# curl -Lksi --negotiate -u : https://$(hostname)/application/login
HTTP/1.1 401 Authorization Required
Date: Fri, 11 Mar 2016 17:23:37 GMT
Server: Apache/2.2.15 (Red Hat)
WWW-Authenticate: Negotiate
Content-Length: 127
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 11 Mar 2016 17:23:37 GMT
Server: Apache/2.2.15 (Red Hat)
Pragma: no-cache
Refresh: 3; URL=/application
Set-Cookie: the-test-cookie=ok:Robert Chase (bob23557: bob23557); path=/application
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

3. Run yum install -y mod_auth_mellon
4. Run service httpd restart
5. Rerun that curl --negotiate -u : command.

Actual results:

# curl -Lksi --negotiate -u : https://$(hostname)/application/login
HTTP/1.1 401 Authorization Required
Date: Fri, 11 Mar 2016 17:23:57 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 127
Connection: close
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>

Expected results:

As before mod_auth_mellon was installed -- 401 with WWW-Authenticate: Negotiate and then 200.

Additional info:

--- Additional comment from Jan Pazdziora on 2016-03-11 18:36:48 CET ---

My estimate is that the problem is caused by mod_auth_mellon's am_check_uid function. It does not check at all whether MellonEnable is enabled on that location.

Normally it does not matter because ap_run_check_user_id in httpd-2.2's ap_process_request_internal is not run unless

   if (ap_some_auth_required(r)) {

is true. Which normally is not but on locations where Kerberos (or Basic) HTTP Auth is enabled, this condition is met even if we did not configure/enable mod_auth_mellon in any way.

--- Additional comment from Jan Pazdziora on 2016-03-11 18:38:49 CET ---

RFC 2616 says

  10.4.2 401 Unauthorized

  The request requires user authentication. The response MUST include
  a WWW-Authenticate header field (section 14.47) containing a challenge
  applicable to the requested resource.

mod_auth_mellon's use of HTTP_UNAUTHORIZED is a violation of the RFC all by itself because it does not implement HTTP Auth.

--- Additional comment from Jan Pazdziora on 2016-03-11 18:41:01 CET ---

The problem is present on RHEL 7 as well. On RHEL 6 it's just a little bit more obvious because of the naming of the configuration files -- mod_auth_mellon is loaded before mod_auth_kerb on RHEL 6, triggering the issue more easily.

--- Additional comment from Simo Sorce on 2016-03-14 15:00:02 CET ---

John,
do you think you have b/w to look at this ?
Comment 1 Jan Pazdziora (Red Hat) 2016-04-06 14:48:30 UTC 
On RHEL 7, merely installing the package will not break things because the order of the modules is captured in conf.modules.d. But the fact that mod_auth_mellon uses 401 where it shouldn't is still there.
Comment 3 John Dennis 2016-04-08 15:17:37 UTC 
Please see bug #1317019 from which this bug was cloned for a discussion of separate issue of the return code.
Comment 5 Scott Poore 2016-09-19 17:46:49 UTC 
Verified.

Version ::

mod_auth_mellon-0.11.0-2.el7.x86_64

Results ::

# Because of module install order, I had to tweak the location of mod_auth_mellon include for apache to reproduce the problem

# Reproduced here:

[root@vm3 conf.modules.d]# rpm -q mod_auth_mellon
mod_auth_mellon-0.11.0-1.el7.x86_64


[root@vm3 conf.modules.d]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: bob123

Valid starting       Expires              Service principal
09/19/2016 12:30:44  09/20/2016 12:30:36  HTTP/vm3.example.com
09/19/2016 12:30:36  09/20/2016 12:30:36  krbtgt/EXAMPLE.COM

[root@vm3 conf.modules.d]# ln -s /etc/httpd/conf.modules.d/10-auth_mellon.conf /etc/httpd/conf.modules.d/09-auth_mellon.conf

[root@vm3 conf.modules.d]# curl -Lksi --negotiate -u : https://$( hostname ):8443/application/login --cacert /etc/httpd/alias/ca.crt
HTTP/1.1 401 Unauthorized
Date: Mon, 19 Sep 2016 17:42:28 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
Content-Length: 127
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>[root@vm3 conf.modules.d]# 


# confirmed fixed:

[root@vm3 conf.modules.d]# yum update mod_auth_mellon
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package mod_auth_mellon.x86_64 0:0.11.0-1.el7 will be updated
---> Package mod_auth_mellon.x86_64 0:0.11.0-2.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                   Arch             Version                 Repository                    Size
=======================================================================================================
Updating:
 mod_auth_mellon           x86_64           0.11.0-2.el7            rhel-7.3-candidate            74 k

Transaction Summary
=======================================================================================================
Upgrade  1 Package

Total download size: 74 k
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
mod_auth_mellon-0.11.0-2.el7.x86_64.rpm                                         |  74 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : mod_auth_mellon-0.11.0-2.el7.x86_64                                                 1/2 
  Cleanup    : mod_auth_mellon-0.11.0-1.el7.x86_64                                                 2/2 
  Verifying  : mod_auth_mellon-0.11.0-2.el7.x86_64                                                 1/2 
  Verifying  : mod_auth_mellon-0.11.0-1.el7.x86_64                                                 2/2 

Updated:
  mod_auth_mellon.x86_64 0:0.11.0-2.el7                                                                

Complete!

[root@vm3 conf.modules.d]# systemctl restart httpd

[root@vm3 conf.modules.d]# curl -Lksi --negotiate -u : https://$( hostname ):8443/application/login --cacert /etc/httpd/alias/ca.crt
HTTP/1.1 401 Unauthorized
Date: Mon, 19 Sep 2016 17:45:35 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
WWW-Authenticate: Negotiate
Content-Length: 127
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Mon, 19 Sep 2016 17:45:35 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvo1d3R6yDrIFaFZdLhpsCWZ4Pch+1FbDeN2qjctGmquNZ3dbpa3gqEs9J4fbyQDqr7y8PIhmW8KL2CuuNWQj0dDr9Jywui1cgse/s/kA58DLBnTyqvVzB5ej+2CE0Vl5xN+0OaRrz0JQP3SwbKRaR
Pragma: no-cache
Content-Length: 2167
Content-Type: text/html; charset=UTF-8

<html>
  <head>
    <title>Log in to application</title>
  </head>
  <body>
    <h1>Log in to application</h1>
    <p>	
	<form method="POST">
	  <dl>
	    <dt>Login:</dt>
	      <dd><input type="text" name="login" value="" />
	    <dt>Password:</dt>
	      <dd><input type="password" name="password" />
	    <dt><input type="submit" name="go" value="Log in" /></dt>
	  </dl>
	</form>
</p>
    <hr/>
    <p><a href="/application">Back to application</a></p>
    <!--
    <hr/>
    <pre>AUTH_TYPE=Negotiate
CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi
CONTEXT_PREFIX=/application
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=vm3.example.com:8443
HTTP_USER_AGENT=curl/7.29.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PATH_INFO=/login
PATH_TRANSLATED=/var/www/html/login
QUERY_STRING=
REMOTE_ADDR=192.168.122.153
REMOTE_PORT=51892
REMOTE_USER=bob123
REQUEST_METHOD=GET
REQUEST_SCHEME=https
REQUEST_URI=/application/login
SCRIPT_FILENAME=/var/www/app.cgi
SCRIPT_NAME=/application
SERVER_ADDR=192.168.122.153
SERVER_ADMIN=root@localhost
SERVER_NAME=vm3.example.com
SERVER_PORT=8443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
SSL_CIPHER=AES-256
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_NAME=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_VERIFY=NONE
SSL_PROTOCOL=TLSv1.2
SSL_SECURE_RENEG=false
SSL_SERVER_A_KEY=ECDHE_RSA
SSL_SERVER_A_SIG=SHA1-RSA
SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.COM
SSL_SERVER_I_DN_CN=Certificate Authority
SSL_SERVER_I_DN_O=EXAMPLE.COM
SSL_SERVER_M_SERIAL=12
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=vm3.example.com,O=EXAMPLE.COM
SSL_SERVER_S_DN_CN=vm3.example.com
SSL_SERVER_S_DN_O=EXAMPLE.COM
SSL_SERVER_V_END=Sep 20 17:27:31 2018 GMT
SSL_SERVER_V_START=Sep 19 17:27:31 2016 GMT
SSL_SESSION_ID=CMiGlmXoekOOZ+SrHTy9S5xq/IQd2ToHfiD0/YTs6nU=
SSL_TLS_SNI=vm3.example.com
SSL_VERSION_INTERFACE=mod_nss/1.0.14
SSL_VERSION_LIBRARY=NSS/3.21 Basic ECC
UNIQUE_ID=V@AkP3U-ZSUCLS1ga-ng0QAAAAQ
    </pre>
    -->
  </body>
</html>

[root@vm3 conf.modules.d]#
Comment 7 errata-xmlrpc 2016-11-04 06:46:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2461.html