Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1102586

Summary: [ER2] Kerberos authentication not working
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Michal Haško <mhasko>
Component: httpdAssignee: Weinan Li <weli>
Status: CLOSED NOTABUG QA Contact: Libor Fuka <lfuka>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.1.0CC: jclere, jdoyle, pslavice, rsvoboda, vtunka
Target Milestone: ---   
Target Release: 2.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1106568 (view as bug list) Environment:
Last Closed: 2014-06-11 12:36:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1106568    
Attachments:
Description Flags
httpd logs none

Description Michal Haško 2014-05-29 09:16:26 UTC 
Created attachment 900302 [details]
httpd logs

Description of problem:
httpd from jboss-ews-httpd-2.1.0-ER1-RHEL7-x86_64.zip depends on httpd22 rpm installed (because of the following symlink):

  httpd/conf.d/auth_kerb.conf -> /etc/httpd22/conf.d/auth_kerb.conf

When using kerberos authentication and placing krb5.keytab into /etc/httpd22, HTTP 500 Internal Server Error is thrown and the following error is produced in log:

[error] [client 127.0.0.1] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Key table file '/etc/httpd/krb5.keytab' not found)

Version-Release number of selected component (if applicable):
jboss-ews-httpd-2.1.0-ER1-RHEL7-x86_64.zip

Additional info:
see attached httpd logs
Comment 1 Libor Fuka 2014-06-03 11:41:06 UTC 
Its near sure problem in our test.
Comment 2 Weinan Li 2014-06-09 15:30:46 UTC 
This is fixed in ER2 because we have mod_auth_kerb-eap6 on EL7 now, and correctly requires httpd22.
Comment 3 Michal Haško 2014-06-10 14:18:50 UTC 
The previous error was indeed caused by problem with test, however I am still unable to get kerberos authentication working. I get the following error in httpd/logs/error_log
[Tue Jun 10 10:10:34 2014] [debug] src/mod_auth_kerb.c(1938): [client 127.0.0.1] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Jun 10 10:10:34 2014] [debug] src/mod_auth_kerb.c(1938): [client 127.0.0.1] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Jun 10 10:10:34 2014] [debug] src/mod_auth_kerb.c(1279): [client 127.0.0.1] Acquiring creds for HTTP@localhost
[Tue Jun 10 10:10:34 2014] [debug] src/mod_auth_kerb.c(1139): [client 127.0.0.1] GSS-API major_status:00020000, minor_status:0000000d
[Tue Jun 10 10:10:34 2014] [error] [client 127.0.0.1] gss_acquire_cred() failed: An invalid name was supplied (, Permission denied)



FYI the kerberos server used (ApacheDS) produces the following error:
[10:10:34] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - KDC cannot accommodate requested option (13)
[10:10:34] WARN [org.apache.directory.server.KERBEROS_LOG] - KDC cannot accommodate requested option (13)



httpd was accessed with the following command:
curl -v --negotiate -u : http://localhost//kerberostest/auth_kerb_page.html



/etc/krb5.conf:
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
[libdefaults]
  default_realm = EXAMPLE.COM
  default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
  dns_lookup_realm = false
  dns_lookup_kdc = false
  allow_weak_crypto = yes
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = yes  
[realms]
  EXAMPLE.COM = {
    kdc = localhost:60088
    admin_server = localhost:60088
  }
[domain_realm]
  .example.com = EXAMPLE.COM
  example.com = EXAMPLE.COM



jboss-ews-2.1/httpd/conf.d/auth_kerb.conf:
#
# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
# 
LoadModule auth_kerb_module modules/mod_auth_kerb.so
#
# Sample configuration: Kerberos authentication must only be
# used over SSL to prevent replay attacks.  The keytab file
# configured must be readable only by the "apache" user, and
# must contain service keys for "HTTP/www.example.com", where
# "www.example.com" is the FQDN of this server.
#
<Location /kerberostest>
#  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms EXAMPLE.COM
  KrbServiceName HTTP
  Krb5KeyTab /etc/httpd22/krb5.keytab
  require valid-user
</Location>



I searched and googled, but couldn't find any help/solution. Maybe someone with more experience might be able to help out?
Comment 4 Michal Haško 2014-06-10 14:33:21 UTC 
Can this have anything in common with the updated APR version in RHEL7?
Comment 6 Michal Haško 2014-06-11 12:36:48 UTC 
A problem was found in our test automation.
FYI it was caused by RHEL7 root uname (0077) which prevents reading newly files created by root.