Bug 1012665 - S4U2Proxy, mod_auth_kerb & KrbServiceName failure
S4U2Proxy, mod_auth_kerb & KrbServiceName failure
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: mod_auth_kerb (Show other bugs)
19
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-26 16:26 EDT by Anthony Messina
Modified: 2015-02-18 06:18 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-18 06:18:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2013-09-26 16:26:50 EDT
After following the instructions [1] to setup S4U2Proxy & FreeIPA, I find that I am unable to get a working configuration.  I believe the issue is related to the use of the "KrbServiceName" option.

I have the following set:

KrbServiceName HTTP/example.com@EXAMPLE.COM

as the webserver is publicly accessible at http://example.com, but resides on a server with a hostname such as hostname.example.com.

I see the following in my Apache error log:

Could not parse principal HTTP/example.com@EXAMPLE.COM/example.com: Malformed representation of principal (-1765328250) 
gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Can't find client principal HTTP/example.com@EXAMPLE.COM in cache collection)

The error originates from [2], and I am wondering why in the error above, the extra "/example.com" is being appended and whether or not there can be a resolution for this issue.

I have tried various combinations of KrbServiceName

KrbServiceName HTTP
KrbServiceName HTTP/
KrbServiceName HTTP/example.com
KrbServiceName HTTP/example.com@
KrbServiceName HTTP/example.com@EXAMPLE.COM

all to no avail.  Also, If I leave out the KrbServiceName, authentication fails (even without S4U2Proxy) as a TGT for HTTP/hostname.example.com@EXAMPLE.COM is attempted, which doesn't match the requested hostname from the client (example.com).

1. http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
2. http://pkgs.fedoraproject.org/cgit/mod_auth_kerb.git/tree/mod_auth_kerb-5.4-s4u2proxy.patch?h=f19#n243
Comment 1 Dmitri Pal 2014-01-14 16:40:44 EST
Have you looked at ignore_acceptor_hostname option in krb5.conf file?
Comment 2 Anthony Messina 2014-01-14 16:49:56 EST
(In reply to Dmitri Pal from comment #1)
> Have you looked at ignore_acceptor_hostname option in krb5.conf file?

Thank you for the info Dmitri.  This is not an option that I have used (or required) in the past.  Is it something that would be required to support the above above configuration with the introduction of S4U2Proxy?

It seems that many Apache sites would be hosted on servers with names true hostnames different than the web-accessible hostname, correct?
Comment 3 Dmitri Pal 2014-01-14 16:54:20 EST
I think this is one of the options. There might be a better one but you need to research krb5.conf. Effectively you need to explain to kerberos library that your service principal needs to be mapped to a different host name. I suspect there is a way to do it. I am just showing you the direction where the answers might be.
Comment 4 Anthony Messina 2014-01-14 17:01:26 EST
(In reply to Dmitri Pal from comment #3)
> I think this is one of the options. There might be a better one but you need
> to research krb5.conf. Effectively you need to explain to kerberos library
> that your service principal needs to be mapped to a different host name. I
> suspect there is a way to do it. I am just showing you the direction where
> the answers might be.

Ok, thank you.  I was only commenting as I currently use KrbServiceName without S4U2Proxy and I do not and have never had ignore_acceptor_hostname configured and mod_auth_kerb works as expected.

I'm in the course of trying to see how mod_auth_kerb, S4U2Proxy, FreeIPA, and gssproxy can work together for one of my web applications and it's a little fuzzy to me ATM ;)
Comment 5 Simo Sorce 2014-01-14 18:00:04 EST
Anthony,
could you run klist -kt /path/to/keytab and tell me what principal do you have in there ?

It sounds a lot like misconfiguration of some sort, I have never seen a problem with matching hostname/servicename.
Comment 6 Anthony Messina 2014-01-14 18:09:22 EST
Sure, the server's actual hostname is "chicago.messinet.com".  The website it hosts is just "messinet.com"

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/chicago.messinet.com@MESSINET.COM
   2 host/chicago.messinet.com@MESSINET.COM
   2 host/chicago.messinet.com@MESSINET.COM
   2 host/chicago.messinet.com@MESSINET.COM
   1 nfs/chicago.messinet.com@MESSINET.COM
   1 nfs/chicago.messinet.com@MESSINET.COM
   1 nfs/chicago.messinet.com@MESSINET.COM
   1 nfs/chicago.messinet.com@MESSINET.COM

# klist -k /etc/httpd/conf/HTTP.keytab 
Keytab name: FILE:/etc/httpd/conf/HTTP.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/messinet.com@MESSINET.COM
   1 HTTP/messinet.com@MESSINET.COM
   1 HTTP/messinet.com@MESSINET.COM
   1 HTTP/messinet.com@MESSINET.COM
Comment 7 Simo Sorce 2014-01-14 19:25:56 EST
Uhm KrbServiceName should just be HTTP, mod_auth_kerb will construct the principal base on the hostname apache sees I think.

Here in this error you can see that:
"Could not parse principal HTTP/example.com@EXAMPLE.COM/example.com: Malformed representation of principal (-1765328250) "

Unless you made a mistake replacing example.com with your name you can see how /example.com was appended to the whole name, this is because, I believe, mod_auth_kerb took the whole name as the service name, and it appended /<hostname> to it.

What error do you get when you set just HTTP ?
(or simply just leave it out since HTTP is the deault)

I am not sure why obtaining credentials with S4U2Proxy would fail, the code constructs the name form "service_name" (by defualt HTTP) and ap_get_server_name(), which should be the name of the site apapche is serving ... however it is probably the *default* server name at startup ...
Have you set a default ServerName directive for your server ?
Comment 8 Anthony Messina 2014-01-14 19:35:26 EST
(In reply to Simo Sorce from comment #7)
> Have you set a default ServerName directive for your server ?

# grep -Rni ServerName conf/ conf.d/
conf/httpd.conf:95:ServerName messinet.com:80
conf.d/ssl.conf:61:ServerName messinet.com:443
Comment 9 Anthony Messina 2014-01-14 19:39:25 EST
(In reply to Simo Sorce from comment #7)
> What error do you get when you set just HTTP ?
> (or simply just leave it out since HTTP is the deault)

It seems to be looking for the actual hostname instead of the HTTP-specific hostname.

gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/chicago.messinet.com@)
Comment 10 Simo Sorce 2014-01-15 01:04:59 EST
Rob,
you've written the s4u2proxy support in mod_auth_kerb, do you know why it is behaving this way ?
Comment 11 Rob Crittenden 2014-01-15 08:57:25 EST
I don't see anything. It creates the principal using ap_get_server_name() as well so it should be picking the right name.

Can you set the log level to debug and attach a snippet here? We may be able to better see what it is doing.
Comment 12 Anthony Messina 2014-01-18 12:31:13 EST
Adding debug logging for mod_auth_kerb with "LogLevel mod_auth_kerb.c:debug" reveals the following:

[auth_kerb:debug] [pid 6133] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:41971] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://messinet.com/
[auth_kerb:debug] [pid 6133] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:41971] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://messinet.com/
[auth_kerb:debug] [pid 6133] src/mod_auth_kerb.c(1295): [client <IPv6 address redacted>:41971] Acquiring creds for HTTP@messinet.com, referer: https://messinet.com/
[auth_kerb:debug] [pid 6133] src/mod_auth_kerb.c(1155): [client <IPv6 address redacted>:41971] GSS-API major_status:000d0000, minor_status:025ea101, referer: https://messinet.com/
[auth_kerb:error] [pid 6133] [client <IPv6 address redacted>:41971] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/chicago.messinet.com@), referer: https://messinet.com/
Comment 13 Anthony Messina 2014-01-18 13:54:15 EST
It turns out that I also needed "KrbConstrainedDelegation On", which wasn't clearly documented.

Here are the debug results with various values for KrbServiceName.  In the first case, with KrbServiceName HTTP/messinet.com@MESSINET.COM, I get "Could not parse principal HTTP/messinet.com@MESSINET.COM/messinet.com".  This is different from the last two cases where mod_auth_kerb seems to fall back to looking for the system's *actual* hostname, rather that the name of the webserver.

# With KrbServiceName HTTP/messinet.com@MESSINET.COM

[auth_kerb:debug] [pid 10793] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:42894] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
[auth_kerb:debug] [pid 10793] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:42894] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
[auth_kerb:debug] [pid 10793] src/mod_auth_kerb.c(1295): [client <IPv6 address redacted>:42894] Acquiring creds for HTTP/messinet.com@MESSINET.COM, referer: http://messinet.com/
[auth_kerb:debug] [pid 10793] src/mod_auth_kerb.c(1489): [client <IPv6 address redacted>:42894] Credentials cache FILE:/tmp/krb5cc_48 not found, create one, referer: http://messinet.com/
[auth_kerb:error] [pid 10793] [client <IPv6 address redacted>:42894] Could not parse principal HTTP/messinet.com@MESSINET.COM/messinet.com: Malformed representation of principal (-1765328250) , referer: http://messinet.com/
[auth_kerb:debug] [pid 10793] src/mod_auth_kerb.c(1617): [client <IPv6 address redacted>:42894] Failed to obtain credentials for s4u2proxy, referer: http://messinet.com/
[auth_kerb:debug] [pid 10793] src/mod_auth_kerb.c(1155): [client <IPv6 address redacted>:42894] GSS-API major_status:000d0000, minor_status:96c73a8d, referer: http://messinet.com/
[auth_kerb:error] [pid 10793] [client <IPv6 address redacted>:42894] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Can't find client principal HTTP/messinet.com@MESSINET.COM in cache collection), referer: http://messinet.com/

# With KrbServiceName left undefined (which should default to HTTP)

[auth_kerb:debug] [pid 10989] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:42951] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
[auth_kerb:debug] [pid 10989] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:42951] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
[auth_kerb:debug] [pid 10989] src/mod_auth_kerb.c(1295): [client <IPv6 address redacted>:42951] Acquiring creds for HTTP@messinet.com, referer: http://messinet.com/
[auth_kerb:debug] [pid 10989] src/mod_auth_kerb.c(1489): [client <IPv6 address redacted>:42951] Credentials cache FILE:/tmp/krb5cc_48 not found, create one, referer: http://messinet.com/
[auth_kerb:debug] [pid 10989] src/mod_auth_kerb.c(1555): [client <IPv6 address redacted>:42951] Obtaining new credentials for HTTP/messinet.com, referer: http://messinet.com/
[auth_kerb:debug] [pid 10989] src/mod_auth_kerb.c(1614): [client <IPv6 address redacted>:42951] Done obtaining credentials for s4u2proxy, referer: http://messinet.com/
[auth_kerb:debug] [pid 10989] src/mod_auth_kerb.c(1155): [client <IPv6 address redacted>:42951] GSS-API major_status:000d0000, minor_status:025ea101, referer: http://messinet.com/
[auth_kerb:error] [pid 10989] [client <IPv6 address redacted>:42951] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/chicago.messinet.com@), referer: http://messinet.com/

# With KrbServiceName HTTP

[auth_kerb:debug] [pid 11304] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:42979] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
[auth_kerb:debug] [pid 11304] src/mod_auth_kerb.c(1956): [client <IPv6 address redacted>:42979] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
[auth_kerb:debug] [pid 11304] src/mod_auth_kerb.c(1295): [client <IPv6 address redacted>:42979] Acquiring creds for HTTP@messinet.com, referer: http://messinet.com/
[auth_kerb:debug] [pid 11304] src/mod_auth_kerb.c(1489): [client <IPv6 address redacted>:42979] Credentials cache FILE:/tmp/krb5cc_48 not found, create one, referer: http://messinet.com/
[auth_kerb:debug] [pid 11304] src/mod_auth_kerb.c(1555): [client <IPv6 address redacted>:42979] Obtaining new credentials for HTTP/messinet.com, referer: http://messinet.com/
[auth_kerb:debug] [pid 11304] src/mod_auth_kerb.c(1614): [client <IPv6 address redacted>:42979] Done obtaining credentials for s4u2proxy, referer: http://messinet.com/
[auth_kerb:debug] [pid 11304] src/mod_auth_kerb.c(1155): [client <IPv6 address redacted>:42979] GSS-API major_status:000d0000, minor_status:025ea101, referer: http://messinet.com/
[auth_kerb:error] [pid 11304] [client <IPv6 address redacted>:42979] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/chicago.messinet.com@), referer: http://messinet.com/
Comment 14 Rob Crittenden 2014-01-20 09:18:34 EST
So I gather it is working for you now with KrbConstrainedDelegation enabled? Can we close this bug?

You're right, this wiki page doesn't mention it. Perhaps you can add a comment with changes that made it work for you (in case there is anything else that needs tweaking).

This option is documented in the mod_auth_kerb README, /usr/share/doc/mod_auth_kerb-5.4/README
Comment 15 Anthony Messina 2014-01-20 09:29:46 EST
(In reply to Rob Crittenden from comment #14)
> So I gather it is working for you now with KrbConstrainedDelegation enabled?
> Can we close this bug?
> 
> You're right, this wiki page doesn't mention it. Perhaps you can add a
> comment with changes that made it work for you (in case there is anything
> else that needs tweaking).
> 
> This option is documented in the mod_auth_kerb README,
> /usr/share/doc/mod_auth_kerb-5.4/README

No, it is definately NOT working.  I only mentioned that so I could show that the logs show that I'm actually trying S4U2Proxy.

See Comment #13 again.  It shows how mod_auth_kerb seems to manipulate the credential name improperly based on the setting of KrbServiceName.

When I leave out the KrbServiceName directive or set it to HTTP, mod_auth_kerb is looking to use the actual hostname of the machine: "Minor code may provide more information (, No key table entry found matching HTTP/chicago.messinet.com@)" which will never work, as the web-accessible name is "messinet.com" -- this is what the clients will request and expect in their browsers.

When I use KrbServiceName HTTP/messinet.com@MESSINET.COM (to ensure that browsers will get what they are looking for, I get the following (with the additional "/messinet.com" appended to the principal name, which fails

Could not parse principal HTTP/messinet.com@MESSINET.COM/messinet.com: Malformed representation of principal (-1765328250)

So when it looks the name in the cache, it can't find it, likely because of the above malformed principal name.

Minor code may provide more information (, Can't find client principal HTTP/messinet.com@MESSINET.COM in cache collection)
Comment 16 Rob Crittenden 2014-01-20 11:08:21 EST
This is a bug in mod_auth_kerb where the principal name is constructed in obtain_server_credentials(). It doesn't see that service_name a full principal and tries to construct a new one.

It should probably look more like this:

   if (strchr(service_name, '/') != NULL)
      ret = krb5_parse_name(kcontext, service_name, &princ);
   else
      ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
                                    (service_name) ? service_name : SERVICE_NAME,
                                    KRB5_NT_SRV_HST, &princ);
Comment 17 Anthony Messina 2014-01-20 11:45:04 EST
Ok, thanks Rob.  Do you know where is the 'official' upstream mod_auth_kerb source located so I can take a look?  Looking at http://pkgs.fedoraproject.org/cgit/mod_auth_kerb.git/tree/ it looks like Fedora/RedHat's mod_auth_kerb is heavily modified so I can't tell who really owns the project and whether "upstream" means RedHat or http://modauthkerb.sourceforge.net/ as indicated via "rpm -qi mod_auth_kerb"

Also, do you know why it insists on using the actual hostname (chicago.messinet.com) of the server instead of the ServerName (or the like) when KrbServiceName isn't set, or is set to HTTP?  It seems like this will only work where the actual hostname is identical to the webserver's ServerName, which seems less than realistic in many circumstances.
Comment 18 Rob Crittenden 2014-01-20 11:59:32 EST
Upstream seems to be dead, not having had a release for 6 years now. There is still a fairly active mailing list but nobody seems to be accepting and reviewing patches. I submitted this the s4u2proxy patch to the list but got no feedback on it.

As for the hostname, I'm not sure. It is using ap_get_server_name(r) which should get the name from the request (which should be the ServerName value).
Comment 19 Anthony Messina 2014-01-20 12:20:30 EST
(In reply to Rob Crittenden from comment #18)
> Upstream seems to be dead, not having had a release for 6 years now. There
> is still a fairly active mailing list but nobody seems to be accepting and
> reviewing patches. I submitted this the s4u2proxy patch to the list but got
> no feedback on it.

Ok, that's what I find as well.  I've just been browsing the SF mailing list for mod_auth_kerb.  It's strange that FreeIPA, et. al. depend quite heavily on a dead upstream project.  I'm wondering if a fork should be in the works so all the fixes could actually get applied (and documented).

> As for the hostname, I'm not sure. It is using ap_get_server_name(r) which
> should get the name from the request (which should be the ServerName value).

Hmmm...  I do have "ServerName messinet.com:443" so that part is not working.  I've also tried removing the :443 port from ServerName which also doesn't work.
Comment 20 Anthony Messina 2014-01-20 12:21:47 EST
(In reply to Rob Crittenden from comment #16)
> This is a bug in mod_auth_kerb where the principal name is constructed in
> obtain_server_credentials(). It doesn't see that service_name a full
> principal and tries to construct a new one.
> 
> It should probably look more like this:
> 
>    if (strchr(service_name, '/') != NULL)
>       ret = krb5_parse_name(kcontext, service_name, &princ);
>    else
>       ret = krb5_sname_to_principal(kcontext, ap_get_server_name(r),
>                                     (service_name) ? service_name :
> SERVICE_NAME,
>                                     KRB5_NT_SRV_HST, &princ);


Would you be willing to do a Koji scratch-build and I can test it locally and report back to see if the above helps?
Comment 21 Rob Crittenden 2014-01-20 17:19:03 EST
Give this build a try. I confirmed that it at least doesn't core on my install:
http://koji.fedoraproject.org/koji/taskinfo?taskID=6432218

To get the right name, set ServerName and set UseCanonicalName on. When I tested, I set these inside my VirtualHost block in nss.conf.
Comment 22 Anthony Messina 2014-01-20 21:58:39 EST
(In reply to Rob Crittenden from comment #21)
> Give this build a try. I confirmed that it at least doesn't core on my
> install:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=6432218
> 
> To get the right name, set ServerName and set UseCanonicalName on. When I
> tested, I set these inside my VirtualHost block in nss.conf.

Ok, Rob.  I have made the above changes.  Previously, I did not have UseCanonicalName set, but now it is set to "On".  I'm not sure if this is required or not.

This build DOES work properly IF I set "KrbServiceName HTTP/messinet.com@MESSINET.COM" (which it seems like I shouldn't have to).

If I don't set KrbServiceName, it fails--again looking for the system's actual hostname instead of ServerName.

The results are below:

# Without KrbServiceName

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
Acquiring creds for HTTP@messinet.com, referer: http://messinet.com/
Using principal HTTP/messinet.com@MESSINET.COM for s4u2proxy, referer: http://messinet.com/
Credentials for HTTP/messinet.com@MESSINET.COM will expire at 1390352327, it is now 1390272793, referer: http://messinet.com/
Done obtaining credentials for s4u2proxy, referer: http://messinet.com/
GSS-API major_status:000d0000, minor_status:025ea101, referer: http://messinet.com/
gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/chicago.messinet.com@), referer: http://messinet.com/


# With KrbServiceName HTTP/messinet.com@MESSINET.COM

kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
Acquiring creds for HTTP/messinet.com@MESSINET.COM, referer: http://messinet.com/
Credentials cache FILE:/tmp/krb5cc_48 not found, create one, referer: http://messinet.com/
Obtaining new credentials for HTTP/messinet.com@MESSINET.COM, referer: http://messinet.com/
Done obtaining credentials for s4u2proxy, referer: http://messinet.com/
Verifying client data using KRB5 GSS-API , referer: http://messinet.com/
Client delegated us their credential, referer: http://messinet.com/
GSS-API token of length 22 bytes will be sent back, referer: http://messinet.com/
kerb_authenticate_a_name_to_local_name amessina@MESSINET.COM -> amessina, referer: http://messinet.com/
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
Acquiring creds for HTTP/messinet.com@MESSINET.COM, referer: http://messinet.com/
Using principal HTTP/messinet.com@MESSINET.COM for s4u2proxy, referer: http://messinet.com/
Credentials for HTTP/messinet.com@MESSINET.COM will expire at 1390352327, it is now 1390265927, referer: http://messinet.com/
Done obtaining credentials for s4u2proxy, referer: http://messinet.com/
Verifying client data using KRB5 GSS-API , referer: http://messinet.com/
Client delegated us their credential, referer: http://messinet.com/
GSS-API token of length 22 bytes will be sent back, referer: http://messinet.com/
kerb_authenticate_a_name_to_local_name amessina@MESSINET.COM -> amessina, referer: http://messinet.com/
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: http://messinet.com/
Acquiring creds for HTTP/messinet.com@MESSINET.COM, referer: http://messinet.com/
Using principal HTTP/messinet.com@MESSINET.COM for s4u2proxy, referer: http://messinet.com/
Credentials for HTTP/messinet.com@MESSINET.COM will expire at 1390352327, it is now 1390265927, referer: http://messinet.com/
Done obtaining credentials for s4u2proxy, referer: http://messinet.com/
Verifying client data using KRB5 GSS-API , referer: http://messinet.com/
Client delegated us their credential, referer: http://messinet.com/
GSS-API token of length 22 bytes will be sent back, referer: http://messinet.com/
kerb_authenticate_a_name_to_local_name amessina@MESSINET.COM -> amessina, referer: http://messinet.com/
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://messinet.com/webcdr/
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos, referer: https://messinet.com/webcdr/
Acquiring creds for HTTP/messinet.com@MESSINET.COM, referer: https://messinet.com/webcdr/
Using principal HTTP/messinet.com@MESSINET.COM for s4u2proxy, referer: https://messinet.com/webcdr/
Credentials for HTTP/messinet.com@MESSINET.COM will expire at 1390352327, it is now 1390265927, referer: https://messinet.com/webcdr/
Done obtaining credentials for s4u2proxy, referer: https://messinet.com/webcdr/
Verifying client data using KRB5 GSS-API , referer: https://messinet.com/webcdr/
Client delegated us their credential, referer: https://messinet.com/webcdr/
GSS-API token of length 22 bytes will be sent back, referer: https://messinet.com/webcdr/
kerb_authenticate_a_name_to_local_name amessina@MESSINET.COM -> amessina, referer: https://messinet.com/webcdr/
Comment 23 Rob Crittenden 2014-01-20 22:13:36 EST
Looking at the source, UseCanonical on should return the ServerName set in the configuration. If it is off or unset it will return the hostname in the request if it has it, otherwise the value of ServerName.

It could be a scoping thing, did you set it in the VirtualHost? In my testing I set it to a bogus value (actually, I uncommented the ServerName value in nss.conf which is www.example.com) and sure enough, mod_auth_kerb tried to get a ticket for HTTP/www.example.com.

Setting the KrbServiceName to the principal is not bad configuration, so as it works I'd go with that.

Joe: Should I see about combining this new patch into the existing S4U2Proxy patch or should we treat it as a separate patch? I ask because I'll probably combine this into the older patch to resubmit it upstream again, in case anyone else might want it.
Comment 24 Anthony Messina 2014-01-20 22:36:54 EST
(In reply to Rob Crittenden from comment #23)
> Looking at the source, UseCanonical on should return the ServerName set in
> the configuration. If it is off or unset it will return the hostname in the
> request if it has it, otherwise the value of ServerName.
> 
> It could be a scoping thing, did you set it in the VirtualHost? In my
> testing I set it to a bogus value (actually, I uncommented the ServerName
> value in nss.conf which is www.example.com) and sure enough, mod_auth_kerb
> tried to get a ticket for HTTP/www.example.com.

I did set ServerName and UseCanonicalName in the virtual host definition in ssl.conf:

ServerName messinet.com:443
ServerAlias www.messinet.com
UseCanonicalName On
 
> Setting the KrbServiceName to the principal is not bad configuration, so as
> it works I'd go with that.

Ok.  It does seem to work with KrbServiceName set.  It's just strange that it doesn't work (still looks for chicago.messinet.com) without KrbServiceName set as I did have ServerName and UseCanonicalName set (so it should use those, I guess is what I'm saying).

> Joe: Should I see about combining this new patch into the existing S4U2Proxy
> patch or should we treat it as a separate patch? I ask because I'll probably
> combine this into the older patch to resubmit it upstream again, in case
> anyone else might want it.
Comment 25 Anthony Messina 2014-01-21 02:16:51 EST
(In reply to Rob Crittenden from comment #21)
> Give this build a try. I confirmed that it at least doesn't core on my
> install:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=6432218
> 
> To get the right name, set ServerName and set UseCanonicalName on. When I
> tested, I set these inside my VirtualHost block in nss.conf.

I'm not really sure what KrbConstrainedDelegationLock does or what it should be called, but I copied the config from my ipa.conf on my FreeIPA server.  Perhaps some default should be defined in /etc/httpd/conf.modules.d/10-auth_kerb.conf to ease initial setup.


The following is a *working* httpd configuration, using your Koji build:

# Note KrbConstrainedDelegationLock is a system-wide setting and cannot be defined inside a VirtualHost

KrbConstrainedDelegationLock ipa

Alias /krbtest /var/www/krbtest
<Directory /var/www/krbtest>
  AuthType Kerberos
  AuthName "Kerberos Test"
  KrbAuthoritative On
  KrbAuthRealm MESSINET.COM
  KrbConstrainedDelegation On
  KrbLocalUserMapping On
  KrbMethodK5Passwd Off
  KrbMethodNegotiate On
  KrbSaveCredentials On
  # Note, I had to set KrbService to HTTP/messinet.com
  # or else I had the problemas described above
  # KrbService HTTP
  KrbServiceName HTTP/messinet.com
  Krb5Keytab /etc/httpd/conf/HTTP.keytab

  Require valid-user
</Directory>
Comment 26 Joe Orton 2014-01-21 05:08:30 EST
I'm fine with merging it into the same patch.

I wonder if we could stage a "friendly takeover" of the upstream project since there doesn't seem to much activity from the original maintainers!
Comment 27 Anthony Messina 2014-01-21 05:22:32 EST
(In reply to Joe Orton from comment #26)
> I wonder if we could stage a "friendly takeover" of the upstream project
> since there doesn't seem to much activity from the original maintainers!

That's the best idea I've heard all day :)
Comment 28 Alexander Bokovoy 2014-01-21 08:26:22 EST
(In reply to Anthony Messina from comment #25)
> (In reply to Rob Crittenden from comment #21)
> > Give this build a try. I confirmed that it at least doesn't core on my
> > install:
> > http://koji.fedoraproject.org/koji/taskinfo?taskID=6432218
> > 
> > To get the right name, set ServerName and set UseCanonicalName on. When I
> > tested, I set these inside my VirtualHost block in nss.conf.
> 
> I'm not really sure what KrbConstrainedDelegationLock does or what it should
> be called, but I copied the config from my ipa.conf on my FreeIPA server. 
> Perhaps some default should be defined in
> /etc/httpd/conf.modules.d/10-auth_kerb.conf to ease initial setup.
> 
> 
> The following is a *working* httpd configuration, using your Koji build:
> 
> # Note KrbConstrainedDelegationLock is a system-wide setting and cannot be
> defined inside a VirtualHost
> 
> KrbConstrainedDelegationLock ipa
> 
> Alias /krbtest /var/www/krbtest
> <Directory /var/www/krbtest>
>   AuthType Kerberos
>   AuthName "Kerberos Test"
>   KrbAuthoritative On
>   KrbAuthRealm MESSINET.COM
>   KrbConstrainedDelegation On
>   KrbLocalUserMapping On
>   KrbMethodK5Passwd Off
>   KrbMethodNegotiate On
>   KrbSaveCredentials On
>   # Note, I had to set KrbService to HTTP/messinet.com
>   # or else I had the problemas described above
>   # KrbService HTTP
>   KrbServiceName HTTP/messinet.com
>   Krb5Keytab /etc/httpd/conf/HTTP.keytab
> 
>   Require valid-user
> </Directory>
I'll update the article to include 'KrbConstrainedDelegation on' and will mention KrbConstrainedDelegationLock.

It is probably worth to make another article to cover some nuances of the mod_auth_kerb.
Comment 29 Fedora Update System 2014-01-22 16:23:00 EST
mod_auth_kerb-5.4-25.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/mod_auth_kerb-5.4-25.fc19
Comment 30 Fedora Update System 2014-01-22 16:23:12 EST
mod_auth_kerb-5.4-27.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/mod_auth_kerb-5.4-27.fc20
Comment 31 Fedora Update System 2014-01-23 06:05:08 EST
Package mod_auth_kerb-5.4-25.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mod_auth_kerb-5.4-25.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-1369/mod_auth_kerb-5.4-25.fc19
then log in and leave karma (feedback).
Comment 32 Fedora End Of Life 2015-01-09 17:40:13 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 33 Anthony Messina 2015-01-25 10:04:44 EST
Cleaning up some bugs I had reported...  This one can be closed, but it should be noted that I'm not able to go one step further and use this method with https://fedorahosted.org/gss-proxy/wiki/Apache
Comment 34 Fedora End Of Life 2015-02-18 06:18:46 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.