Bug 687975

Summary: mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection
Product: [Fedora] Fedora Reporter: Benjamin Kahn <bkahn>
Component: mod_auth_kerbAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: jorton
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_auth_kerb-5.4-13.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 688210 (view as bug list) Environment:
Last Closed: 2012-05-04 23:06:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 688210    
Attachments:
Description Flags
Move credential cache destruction to the destruction of the CONNECTION not the REQUEST
none
Updated patch by mgbowman to solve resource leak none

Description Benjamin Kahn 2011-03-15 21:35:33 UTC 
Created attachment 485608 [details]
Move credential cache destruction to the destruction of the CONNECTION not the REQUEST

Description of problem:
mod_auth_kerb using krb5passwd and keepalive and credential delegation loses delegation after first request on connection

Version-Release number of selected component (if applicable):
mod_auth_kerb-5.4-5.1.fc14

How reproducible:
Tricky to reproduce since it requires multiple connections to a Kerberos password protected space using a compatible web browser with keep-alive enabled

Steps to Reproduce:
1. Set up Kerberos authentication:

<Location /private>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate Off
  KrbMethodK5Passwd On
  KrbSaveCredentials On
  KrbAuthRealms EXAMPLE.COM
  Krb5KeyTab /etc/krb5-apache.keytab
  require valid-user
</Location>

2. Set up your web browser to support Keberos Auth with delegation

http://www.grolmsnet.de/kerbtut/firefox.html
(Note that the link doesn't include setting up delegation; set network.negotiate-auth.delegation-uris to be the same as trusted-uris)

3. Create a CGI script which checks $KRB5CCNAME and $REMOTE_USER

http://modauthkerb.sourceforge.net/credential-cache-example.script

4. Turn on keep-alive
  
5. Start the web server

6. Reload a lot

Actual results:
Requests on the kept-alive connection, after the first one, will not have a valid $KRB5CCNAME environment variable

Expected results:
Every request should have correct credentials

Additional info:
See attached patch for fix.
Comment 1 Benjamin Kahn 2011-09-09 14:55:09 UTC 
Created attachment 522350 [details]
Updated patch by mgbowman to solve resource leak

Updated patch by mgbowman to solve resource leak
Comment 2 Joe Orton 2012-05-01 15:08:58 UTC 
Commit: http://pkgs.fedoraproject.org/gitweb/?p=mod_auth_kerb.git;a=commitdiff;h=79c52de66cd5351b31e06f29cb883934c7ea57f0
Package: mod_auth_kerb-5.4-13.fc18
Build: https://koji.fedoraproject.org/koji/buildinfo?buildID=316630
Comment 3 Fedora Update System 2012-05-01 15:12:14 UTC 
mod_auth_kerb-5.4-13.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/mod_auth_kerb-5.4-13.fc17
Comment 4 Fedora Update System 2012-05-01 21:32:15 UTC 
Package mod_auth_kerb-5.4-13.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mod_auth_kerb-5.4-13.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7030/mod_auth_kerb-5.4-13.fc17
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-05-04 23:06:27 UTC 
mod_auth_kerb-5.4-13.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.