Bug 1941997

Summary: [External Authentication] External auth login using Kerberos SSO is failing for AD on Satellite 6.9
Product: Red Hat Satellite Reporter: Omkar Khatavkar <okhatavk>
Component: AuthenticationAssignee: Ondřej Ezr <oezr>
Status: CLOSED ERRATA QA Contact: Omkar Khatavkar <okhatavk>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.9.0CC: ahumbe, bbuckingham, ehelms, jonathan.liedy, mhulan, oezr, tbrisker, thadzhie, vijsingh
Target Milestone: 6.10.0Keywords: Regression, Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-16 14:10:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Omkar Khatavkar 2021-03-23 11:38:48 UTC 
Description of problem:
[Authentication] External auth login using Kerberos SSO is failing for AD on Satellite

Version-Release number of selected component (if applicable):
Satellite 6.9 Snap 18

How reproducible:
Always

Steps to Reproduce:
1.Configure the External Auth to Satellite mentioned on the link 

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.8/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-configuring_external_authentication#sect-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Configuring_External_Authentication-Using_Active_Directory

2.Get the Kerberos Ticket 
 
3. try curl -k -u: --negotiate https://satelliteexample.com/users/extlogin/


Actual results:

The user is redirected to the login page again and Satellite not able to validate the ticket details e.g. 

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/

<<< stdout
<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body>



Expected results:

User should be redirected to profile page e.g

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/

<<< stdout
<html><body>You are being <a href="https://satellite.example.com/users/8-foobar/edit">redirected</a>.</body></html> 

Additional info:

This was working last verified for Bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=1905400
Comment 8 Ondřej Ezr 2021-03-25 13:36:37 UTC 
Hi,

The issue is, that you are using

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/

instead you need leave out the trailing slash

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin


This is a simply issue of our exact match in apache and trailing backslash.
We are using this for the kerberos endpoint configuration:

```
<LocationMatch ^/users/(ext)?login$>
```

And that is not matched with the trailing slash.
Comment 11 Bryan Kearney 2021-03-25 16:01:34 UTC 
Upstream bug assigned to oezr
Comment 12 Bryan Kearney 2021-03-25 16:01:36 UTC 
Upstream bug assigned to oezr
Comment 13 Omkar Khatavkar 2021-03-30 12:31:30 UTC 
Brad, the Same issue exists in Satellite 6.8.5 latest snap.
Comment 14 Jonathan Liedy 2021-04-21 18:29:37 UTC 
Can confirm this is an issue in 6.8.6 regardless of the trailing slash on the URL.

[redacted]# curl -k -u : --negotiate https://redacted/users/extlogin/
<html><body>You are being <a href="https://redacted/users/login">redirected</a>.</body></html>
[redacted]# curl -k -u : --negotiate https://redacted/users/extlogin
<html><body>You are being <a href="https://redacted/users/login">redirected</a>.</body></html>
Comment 15 Ondřej Ezr 2021-05-04 18:25:45 UTC 
Jonathan, this can even mean Kerberos did work.
If it didn't we would need more details about your setup, to figure out where your issue is.
Cause of the reported issue in this BZ was strictly the use of trailing slash, apart of it the Kerberos worked on the setup.
Comment 19 errata-xmlrpc 2021-11-16 14:10:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702