Bug 799161
Summary: | Firefox not working with S4U2Proxy | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Rob Crittenden <rcritten> | ||||
Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> | ||||
Status: | CLOSED ERRATA | QA Contact: | Jenny Severance <jgalipea> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.3 | CC: | dpal, jgalipea, jplans, ksrot, mkosek, prc, ssorce, yzhang | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | krb5-1.9-29.el6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-06-20 14:27:31 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Rob Crittenden
2012-03-01 22:49:37 UTC
Created attachment 566961 [details]
upstream Kerberos patch
More sensical mech selection for gss_acquire_cred/accept_sec_context
If a caller passes an empty mech set to gss_acquire_cred, get a cred for all mechs instead of just the krb5 mech, as we don't know what mechanism the cred is going to be used with (particularly in the acceptor case). As a related fix, if a caller passes a credential to gss_accept_sec_context and it does not contain a mech-specific cred for the token's mech, error out instead of using the default cred with the token's mechanism.
On which versions is this known to work without backporting? Is it expected to work if the client's ticket isn't forwardable (i.e., obtained using a TGT which was obtained by running 'kinit -F', or with [libdefaults] not set up to default to requesting forwardable tickets)? Is it sufficient to just remove the defined delegation uri configuration in about:config ... and make sure you can access the IPA Administration Web UI to verify this bug? Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable ticket to work (it just doesn't require the full TGT). From a client perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG, not GSS_C_DELEG_FLAG. Jenny: It depends. If you start out with a fresh install and have never authenticated then yes. Or you can run ipactl restart to be sure that we haven't cached a TGT from a previous request. You can also look in /var/log/krb5kdc.log and look for CONSTRAINED DELEGATION lines. These mean that your user was properly authenticated without sending a TGT. (In reply to comment #5) > Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable > ticket to work (it just doesn't require the full TGT). From a client > perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG, > not GSS_C_DELEG_FLAG. Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of fixing this bug. If mod_auth_kerb doesn't get a suitable ticket from the client, shouldn't it be attempting to get one by using S4U2Self? I don't understand. It looks like this patch is applied in krb5-1.9-29 which should address this bug. AFAIK no additional changes to mod_auth_kerb or Firefox are required (though a version of mod_auth_kerb that supports and is configured for S4U2Proxy, is required). (In reply to comment #6) > (In reply to comment #5) > > Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable > > ticket to work (it just doesn't require the full TGT). From a client > > perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG, > > not GSS_C_DELEG_FLAG. > > Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of > fixing this bug. If mod_auth_kerb doesn't get a suitable ticket from the > client, shouldn't it be attempting to get one by using S4U2Self? Firefox needs no fixes at all. mod_auth_kerb needs to be the right version that supports s4u2proxy, s4u2self is not allowed. libkrb5 needs to be patched. If patches are not backported from 1.10 it will never work as firfox force spnego as a mechanism and libgssapi_krb5 has bugs dealing with delegate credentials when spnego is used. (In reply to comment #8) > (In reply to comment #6) > > (In reply to comment #5) > > > Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable > > > ticket to work (it just doesn't require the full TGT). From a client > > > perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG, > > > not GSS_C_DELEG_FLAG. > > > > Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of > > fixing this bug. If mod_auth_kerb doesn't get a suitable ticket from the > > client, shouldn't it be attempting to get one by using S4U2Self? > > Firefox needs no fixes at all. That's good to hear. Which version are you using when you're testing this? > mod_auth_kerb needs to be the right version that supports s4u2proxy, s4u2self > is not allowed. Which version is that? Why is s4u2self not allowed, if things still don't work without it when the user-supplied ticket doesn't have the forwardable flag set in it? > libkrb5 needs to be patched. If patches are not backported from 1.10 it will > never work as firfox force spnego as a mechanism and libgssapi_krb5 has bugs > dealing with delegate credentials when spnego is used. Yes, that's why this bug is here. I'm trying to establish a baseline against which I can compare the results of applying the patch from this bug. As the krb5 component is being patched here, the name-version-release information for the other parts which are involved would be useful. (In reply to comment #9) > (In reply to comment #8) > > (In reply to comment #6) > > > (In reply to comment #5) > > > > Nalin: versions of what, Firefox or krb5-server? S4U2Proxy needs a forwardable > > > > ticket to work (it just doesn't require the full TGT). From a client > > > > perspective we just set the flags GSS_C_MUTUAL_FLAG and GSS_C_SEQUENCE_FLAG, > > > > not GSS_C_DELEG_FLAG. > > > > > > Firefox and mod_auth_kerb, mainly, as we're not patching the KDC as part of > > > fixing this bug. If mod_auth_kerb doesn't get a suitable ticket from the > > > client, shouldn't it be attempting to get one by using S4U2Self? > > > > Firefox needs no fixes at all. > > That's good to hear. Which version are you using when you're testing this? Any version is the same, that code hasn't changed in ages in Firefox. We used FF10 > > mod_auth_kerb needs to be the right version that supports s4u2proxy, s4u2self > > is not allowed. > > Which version is that? I think mod_auth_kerb-5.4-9.fc16 has all needed code, I am not sure which RHEL version it corresponds to. > Why is s4u2self not allowed, if things still don't work without it when the > user-supplied ticket doesn't have the forwardable flag set in it? s4u2self would give the proxy the ability to arbitrarily impersonate any user, we do not want that, the proxy need an actual evidence ticket from a user to be able to use s4u2proxy. The user-supplied ticket must have the forwardable flag set. (In reply to comment #10) > (In reply to comment #9) > > Why is s4u2self not allowed, if things still don't work without it when the > > user-supplied ticket doesn't have the forwardable flag set in it? > > s4u2self would give the proxy the ability to arbitrarily impersonate any user, > we do not want that, the proxy need an actual evidence ticket from a user to be > able to use s4u2proxy. s4u2self, by itself, does not grant that ability. The KDC won't issue a forwardable ticket to the service via s4u2self if the ok-to-auth-as-delegate flag is not set for the service -- it will instead issue a non-forwardable ticket. A forwardable evidence ticket is required for making an s4u2proxy request, so a non-forwardable s4u2self ticket could not be used for s4u2proxy. > The user-supplied ticket must have the forwardable flag set. For IPA, for now. This doesn't automatically apply to all users of mod_auth_kerb. (In reply to comment #11) > (In reply to comment #10) > > (In reply to comment #9) > > > Why is s4u2self not allowed, if things still don't work without it when the > > > user-supplied ticket doesn't have the forwardable flag set in it? > > > > s4u2self would give the proxy the ability to arbitrarily impersonate any user, > > we do not want that, the proxy need an actual evidence ticket from a user to be > > able to use s4u2proxy. > > s4u2self, by itself, does not grant that ability. The KDC won't issue a > forwardable ticket to the service via s4u2self if the ok-to-auth-as-delegate > flag is not set for the service -- it will instead issue a non-forwardable > ticket. A forwardable evidence ticket is required for making an s4u2proxy > request, so a non-forwardable s4u2self ticket could not be used for s4u2proxy. Sure, but in that case the s4u2self obtained ticket would be useless to us. So it is not an interesting case to allow. > > The user-supplied ticket must have the forwardable flag set. > > For IPA, for now. This doesn't automatically apply to all users of > mod_auth_kerb. In what case s4u2self is interesting for mod_auth_kerb ? (In reply to comment #12) > In what case s4u2self is interesting for mod_auth_kerb ? I don't have an exhaustive list of the situations and applications where mod_auth_kerb is used, so I don't rule it out. I do believe that forms based authentication would not work with out s4u2proxy ... and testing of this should be sufficient for verification. Do you agree Nalin? :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: TEST PROTOCOL :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test run ID : 5557773 :: [ LOG ] :: Package : ipa-server :: [ LOG ] :: Installed: : ipa-server-2.2.0-11.el6.i686 :: [ LOG ] :: Test started : 2012-04-30 12:18:59 EDT :: [ LOG ] :: Test finished : 2012-04-30 12:23:20 EDT :: [ LOG ] :: Test name : /CoreOS/ipa-server/acceptance/forms-cli :: [ LOG ] :: Distro: : Red Hat Enterprise Linux Server release 6.3 Beta (Santiago) :: [ LOG ] :: Hostname : dell-pe1750-1.testrelm.com :: [ LOG ] :: Architecture : i686 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test description :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: PURPOSE of /CoreOS/ipa-server/acceptance/forms-cli Description: Tests creation and usage of kerberos forms Author: Michael Gregg <mgregg> :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli startup: Check for ipa-server package :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Checking for the presence of ipa-server rpm :: [ PASS ] :: Creating tmp directory :: [ PASS ] :: Running 'pushd /tmp/tmp.1jl5RnNjga' :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ LOG ] :: Duration: 4s :: [ LOG ] :: Assertions: 4 good, 0 bad :: [ PASS ] :: RESULT: forms-cli startup: Check for ipa-server package :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-01: Destroy credentials :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Destroy kinit. :: [ PASS ] :: destroy any credentials that may already exist :: [ LOG ] :: Duration: 0s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-01: Destroy credentials :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-02: Ensure that json script does not work without a valid session ID :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Make sure that the output of the curl request seems to have failed :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that admin is unable to find the new user :: [ PASS ] :: destroy any credentials that may already exist :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 4 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-02: Ensure that json script does not work without a valid session ID :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-03: ensure that you cannot get a valid session id with bad credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Make sure that the response header does not appear to have a session id in it :: [ LOG ] :: Duration: 1s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-03: ensure that you cannot get a valid session id with bad credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-04: attempt to create a new group with bad credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that admin is not able to find the new group lookgt :: [ LOG ] :: Duration: 11s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-04: attempt to create a new group with bad credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-05: Get a valid session id with good credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Make sure that the response header contains a session id in it :: [ LOG ] :: new admin session ID is 1641a217e4aabed19ccfd98cf12dc1c0 :: [ LOG ] :: Duration: 7s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-05: Get a valid session id with good credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-06: Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that admin is able to find the new user :: [ PASS ] :: Delete the test user :: [ LOG ] :: Duration: 25s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-06: Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-07: Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that admin is able to find the new group lookgt :: [ LOG ] :: Duration: 17s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-07: Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-08: Delete the group created in the last step using valid credentials in a form. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that admin is not able to find the new group lookgt :: [ LOG ] :: Duration: 17s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-08: Delete the group created in the last step using valid credentials in a form. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-09: Add a good A record with forms based authentication. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that the new ipa address seems to be in the server :: [ LOG ] :: Duration: 34s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-09: Add a good A record with forms based authentication. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-10: Add a second good A record with forms based authentication. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that the original ip address seems to be in the server :: [ PASS ] :: Make sure that the new ip address seems to be in the server :: [ LOG ] :: Duration: 32s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-10: Add a second good A record with forms based authentication. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-11: Try to add a bad ip a record with forma based auth. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that the first original ip address seems to be in the server :: [ PASS ] :: Make sure that the second original ip address seems to be in the server :: [ PASS ] :: Make sure that the bad ip address isn't on the server :: [ LOG ] :: Duration: 32s :: [ LOG ] :: Assertions: 4 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-11: Try to add a bad ip a record with forma based auth. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: forms-cli-12: Delete A record with forms based authentication. :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Kinit as admin user :: [ PASS ] :: Make sure that the original ip address has been removed the server :: [ PASS ] :: Make sure that the new ip address seems to be in the server :: [ PASS ] :: Make sure that the bad ip address isn't on the server :: [ PASS ] :: cleanup the second added a record. :: [ LOG ] :: Duration: 50s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: forms-cli-12: Delete A record with forms based authentication. No crash detected. report saved as: /tmp/rhts.report.30839.txt ================ final pass/fail report ================= Test Date: Mon Apr 30 12:23:23 EDT 2012 Total : [13] Passed: [13] Failed: [0] Abort : [0] Crash : [0] --------------------------------------------------------- [ PASS ] forms-cli startup Check for ipa-server package [ PASS ] forms-cli-01 Destroy credentials [ PASS ] forms-cli-02 Ensure that json script does not work without a valid session ID [ PASS ] forms-cli-03 ensure that you cannot get a valid session id with bad credentials. [ PASS ] forms-cli-04 attempt to create a new group with bad credentials. [ PASS ] forms-cli-05 Get a valid session id with good credentials. [ PASS ] forms-cli-06 Create a new user with the aquired session id. ie, retry forms-cli-02 with valid credentials. [ PASS ] forms-cli-07 Create a new group with the aquired session id. ie, retry forms-cli-03 with valid credentials. [ PASS ] forms-cli-08 Delete the group created in the last step using valid credentials in a form. [ PASS ] forms-cli-09 Add a good A record with forms based authentication. [ PASS ] forms-cli-10 Add a second good A record with forms based authentication. [ PASS ] forms-cli-11 Try to add a bad ip a record with forma based auth. [ PASS ] forms-cli-12 Delete A record with forms based authentication. (In reply to comment #15) > I do believe that forms based authentication would not work with out s4u2proxy > ... and testing of this should be sufficient for verification. Do you agree > Forms based authentication is completely independent from s4u2proxy, however normal SSO auth from Firefox setting degalte-uris to no value will use s4u2proxy. (In reply to comment #15) > I do believe that forms based authentication would not work with out s4u2proxy > ... and testing of this should be sufficient for verification. Do you agree > Nalin? The erratum includes information about testing general S4U2Proxy functionality in a non-IPA environment, and those tests should suffice for the general cases. If I'm reading the patch right, whether or not this was triggered depended in part on how the client and server used the GSSAPI library to talk to each other, and the combination of Firefox and mod_auth_kerb would trigger the bug at the server. So long as the form fails if mod_auth_kerb can't supply S4U2Proxy credentials for it, I think the test should cover it. per comments .. marking bug verified. Thanks Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0921.html |