Bug 1324536

Summary: Installing mod_auth_mellon causes working Kerberos authentication to start failing
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora <jpazdziora>
Component: mod_auth_mellonAssignee: John Dennis <jdennis>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: arubin, jdennis, jpazdziora, ksiddiqu, nkinder, nsoman, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_auth_mellon-0.11.0-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1317019 Environment:
Last Closed: 2016-11-04 06:46:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1317019    
Bug Blocks:    

Description Jan Pazdziora 2016-04-06 14:47:05 UTC 
+++ This bug was initially created as a clone of Bug #1317019 +++

Description of problem:

When mod_auth_mellon package is installed to a working Apache HTTP Server with Kerberos authentication, the Kerberos authentication stops working even if mod_auth_mellon was not configured in any way.

Version-Release number of selected component (if applicable):

mod_auth_mellon-0.8.0-4.el6.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Have Apache HTTP Server configured with mod_auth_kerb.
2. Verify that kinit as some user and curl -Lksi --negotiate -u : returns 401 and then 200, something like

# curl -Lksi --negotiate -u : https://$(hostname)/application/login
HTTP/1.1 401 Authorization Required
Date: Fri, 11 Mar 2016 17:23:37 GMT
Server: Apache/2.2.15 (Red Hat)
WWW-Authenticate: Negotiate
Content-Length: 127
Connection: close
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 11 Mar 2016 17:23:37 GMT
Server: Apache/2.2.15 (Red Hat)
Pragma: no-cache
Refresh: 3; URL=/application
Set-Cookie: the-test-cookie=ok:Robert Chase (bob23557: bob23557); path=/application
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

3. Run yum install -y mod_auth_mellon
4. Run service httpd restart
5. Rerun that curl --negotiate -u : command.

Actual results:

# curl -Lksi --negotiate -u : https://$(hostname)/application/login
HTTP/1.1 401 Authorization Required
Date: Fri, 11 Mar 2016 17:23:57 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Length: 127
Connection: close
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>

Expected results:

As before mod_auth_mellon was installed -- 401 with WWW-Authenticate: Negotiate and then 200.

Additional info:

--- Additional comment from Jan Pazdziora on 2016-03-11 18:36:48 CET ---

My estimate is that the problem is caused by mod_auth_mellon's am_check_uid function. It does not check at all whether MellonEnable is enabled on that location.

Normally it does not matter because ap_run_check_user_id in httpd-2.2's ap_process_request_internal is not run unless

   if (ap_some_auth_required(r)) {

is true. Which normally is not but on locations where Kerberos (or Basic) HTTP Auth is enabled, this condition is met even if we did not configure/enable mod_auth_mellon in any way.

--- Additional comment from Jan Pazdziora on 2016-03-11 18:38:49 CET ---

RFC 2616 says

  10.4.2 401 Unauthorized

  The request requires user authentication. The response MUST include
  a WWW-Authenticate header field (section 14.47) containing a challenge
  applicable to the requested resource.

mod_auth_mellon's use of HTTP_UNAUTHORIZED is a violation of the RFC all by itself because it does not implement HTTP Auth.

--- Additional comment from Jan Pazdziora on 2016-03-11 18:41:01 CET ---

The problem is present on RHEL 7 as well. On RHEL 6 it's just a little bit more obvious because of the naming of the configuration files -- mod_auth_mellon is loaded before mod_auth_kerb on RHEL 6, triggering the issue more easily.

--- Additional comment from Simo Sorce on 2016-03-14 15:00:02 CET ---

John,
do you think you have b/w to look at this ?
Comment 1 Jan Pazdziora 2016-04-06 14:48:30 UTC 
On RHEL 7, merely installing the package will not break things because the order of the modules is captured in conf.modules.d. But the fact that mod_auth_mellon uses 401 where it shouldn't is still there.
Comment 3 John Dennis 2016-04-08 15:17:37 UTC 
Please see bug #1317019 from which this bug was cloned for a discussion of separate issue of the return code.
Comment 5 Scott Poore 2016-09-19 17:46:49 UTC 
Verified.

Version ::

mod_auth_mellon-0.11.0-2.el7.x86_64

Results ::

# Because of module install order, I had to tweak the location of mod_auth_mellon include for apache to reproduce the problem

# Reproduced here:

[root@vm3 conf.modules.d]# rpm -q mod_auth_mellon
mod_auth_mellon-0.11.0-1.el7.x86_64


[root@vm3 conf.modules.d]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: bob123

Valid starting       Expires              Service principal
09/19/2016 12:30:44  09/20/2016 12:30:36  HTTP/vm3.example.com
09/19/2016 12:30:36  09/20/2016 12:30:36  krbtgt/EXAMPLE.COM

[root@vm3 conf.modules.d]# ln -s /etc/httpd/conf.modules.d/10-auth_mellon.conf /etc/httpd/conf.modules.d/09-auth_mellon.conf

[root@vm3 conf.modules.d]# curl -Lksi --negotiate -u : https://$( hostname ):8443/application/login --cacert /etc/httpd/alias/ca.crt
HTTP/1.1 401 Unauthorized
Date: Mon, 19 Sep 2016 17:42:28 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
Content-Length: 127
Content-Type: text/html; charset=iso-8859-1

<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>[root@vm3 conf.modules.d]# 


# confirmed fixed:

[root@vm3 conf.modules.d]# yum update mod_auth_mellon
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package mod_auth_mellon.x86_64 0:0.11.0-1.el7 will be updated
---> Package mod_auth_mellon.x86_64 0:0.11.0-2.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
 Package                   Arch             Version                 Repository                    Size
=======================================================================================================
Updating:
 mod_auth_mellon           x86_64           0.11.0-2.el7            rhel-7.3-candidate            74 k

Transaction Summary
=======================================================================================================
Upgrade  1 Package

Total download size: 74 k
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
mod_auth_mellon-0.11.0-2.el7.x86_64.rpm                                         |  74 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : mod_auth_mellon-0.11.0-2.el7.x86_64                                                 1/2 
  Cleanup    : mod_auth_mellon-0.11.0-1.el7.x86_64                                                 2/2 
  Verifying  : mod_auth_mellon-0.11.0-2.el7.x86_64                                                 1/2 
  Verifying  : mod_auth_mellon-0.11.0-1.el7.x86_64                                                 2/2 

Updated:
  mod_auth_mellon.x86_64 0:0.11.0-2.el7                                                                

Complete!

[root@vm3 conf.modules.d]# systemctl restart httpd

[root@vm3 conf.modules.d]# curl -Lksi --negotiate -u : https://$( hostname ):8443/application/login --cacert /etc/httpd/alias/ca.crt
HTTP/1.1 401 Unauthorized
Date: Mon, 19 Sep 2016 17:45:35 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
WWW-Authenticate: Negotiate
Content-Length: 127
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Mon, 19 Sep 2016 17:45:35 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvo1d3R6yDrIFaFZdLhpsCWZ4Pch+1FbDeN2qjctGmquNZ3dbpa3gqEs9J4fbyQDqr7y8PIhmW8KL2CuuNWQj0dDr9Jywui1cgse/s/kA58DLBnTyqvVzB5ej+2CE0Vl5xN+0OaRrz0JQP3SwbKRaR
Pragma: no-cache
Content-Length: 2167
Content-Type: text/html; charset=UTF-8

<html>
  <head>
    <title>Log in to application</title>
  </head>
  <body>
    <h1>Log in to application</h1>
    <p>	
	<form method="POST">
	  <dl>
	    <dt>Login:</dt>
	      <dd><input type="text" name="login" value="" />
	    <dt>Password:</dt>
	      <dd><input type="password" name="password" />
	    <dt><input type="submit" name="go" value="Log in" /></dt>
	  </dl>
	</form>
</p>
    <hr/>
    <p><a href="/application">Back to application</a></p>
    <!--
    <hr/>
    <pre>AUTH_TYPE=Negotiate
CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi
CONTEXT_PREFIX=/application
DOCUMENT_ROOT=/var/www/html
GATEWAY_INTERFACE=CGI/1.1
HTTPS=on
HTTP_ACCEPT=*/*
HTTP_HOST=vm3.example.com:8443
HTTP_USER_AGENT=curl/7.29.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
PATH_INFO=/login
PATH_TRANSLATED=/var/www/html/login
QUERY_STRING=
REMOTE_ADDR=192.168.122.153
REMOTE_PORT=51892
REMOTE_USER=bob123
REQUEST_METHOD=GET
REQUEST_SCHEME=https
REQUEST_URI=/application/login
SCRIPT_FILENAME=/var/www/app.cgi
SCRIPT_NAME=/application
SERVER_ADDR=192.168.122.153
SERVER_ADMIN=root@localhost
SERVER_NAME=vm3.example.com
SERVER_PORT=8443
SERVER_PROTOCOL=HTTP/1.1
SERVER_SIGNATURE=
SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC
SSL_CIPHER=AES-256
SSL_CIPHER_ALGKEYSIZE=256
SSL_CIPHER_EXPORT=false
SSL_CIPHER_NAME=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
SSL_CIPHER_USEKEYSIZE=256
SSL_CLIENT_VERIFY=NONE
SSL_PROTOCOL=TLSv1.2
SSL_SECURE_RENEG=false
SSL_SERVER_A_KEY=ECDHE_RSA
SSL_SERVER_A_SIG=SHA1-RSA
SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.COM
SSL_SERVER_I_DN_CN=Certificate Authority
SSL_SERVER_I_DN_O=EXAMPLE.COM
SSL_SERVER_M_SERIAL=12
SSL_SERVER_M_VERSION=3
SSL_SERVER_S_DN=CN=vm3.example.com,O=EXAMPLE.COM
SSL_SERVER_S_DN_CN=vm3.example.com
SSL_SERVER_S_DN_O=EXAMPLE.COM
SSL_SERVER_V_END=Sep 20 17:27:31 2018 GMT
SSL_SERVER_V_START=Sep 19 17:27:31 2016 GMT
SSL_SESSION_ID=CMiGlmXoekOOZ+SrHTy9S5xq/IQd2ToHfiD0/YTs6nU=
SSL_TLS_SNI=vm3.example.com
SSL_VERSION_INTERFACE=mod_nss/1.0.14
SSL_VERSION_LIBRARY=NSS/3.21 Basic ECC
UNIQUE_ID=V@AkP3U-ZSUCLS1ga-ng0QAAAAQ
    </pre>
    -->
  </body>
</html>

[root@vm3 conf.modules.d]#
Comment 7 errata-xmlrpc 2016-11-04 06:46:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2461.html