Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1107829

Summary: Kerberos Negotiation with Broker / Console does not work.
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: NodeAssignee: Jason DeTiberus <jdetiber>
Status: CLOSED NOTABUG QA Contact: libra bugs <libra-bugs>
Severity: medium Docs Contact:
Priority: high    
Version: 2.1.0CC: bleanhar, calfonso, jkeck, jokerman, libra-onpremise-devel, mmccomas
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-15 22:10:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Logs and Configuration Files from setup. none

Description Eric Rich 2014-06-10 18:03:55 UTC
Created attachment 907340 [details]
Logs and Configuration Files from setup.

Description of problem:

Username and Password authentication with Kerberos work! However Negotiation does not. 

    KrbMethodNegotiate On

from /var/www/openshift/[broker|console]/httpd/conf.d/openshift-origin-auth-remote-user.conf in the sample files seems to indicate that it should work.

How reproducible: Very

Steps to Reproduce:
1. Follow https://access.redhat.com/site/solutions/904263
2. Configure a second system to kinit with KDC (use demo user)
3. Configure firefox to use krb token
4. Browse to Broker URL

Actual results:

You are prompted for a password, and the KRB token is not used. 

Expected results:

You should be authenticated with console (and broker). With out the need for a password prompt. 

Additional info:

logs.out - tail -f /var/log/openshift/console/httpd/*
broker.conf - /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf
console.conf - /var/www/openshift/console/httpd/conf.d/openshift-origin-auth-remote-user.conf
kdc.log - /var/log/krb5kdc.log
trace.out - Collected with 'env KRB5_TRACE=/tmp/trace.out firefox'
    - network.negotiate-auth.trusted-uris;.example.com << set in fire fox to pickup ticket from kdc created with `kinit demo`

- Local /etc/krb5.conf points to 

[realms]
 EXAMPLE.COM = {
  kdc = hydra.example.com
  admin_server = hydra.example.com
 }

- DNS lookup of KDC from client: 

; <<>> DiG 9.9.4-P2-RedHat-9.9.4-12.P2.fc20 <<>> hydra.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55715
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hydra.example.com.		IN	A

;; ANSWER SECTION:
hydra.example.com.	1	IN	A	192.168.100.214

;; AUTHORITY SECTION:
example.com.		1	IN	NS	hydra.example.com.

;; Query time: 6 msec
;; SERVER: 192.168.100.214#53(192.168.100.214)
;; WHEN: Tue Jun 10 13:54:22 EDT 2014
;; MSG SIZE  rcvd: 76

- KDC principals 

# kadmin.local 
Authenticating as principal demo/admin with password.
kadmin.local:  listprincs 
HTTP/hydra.example.com
HTTP/hydra
K/M
admin
demo
kadmin/admin
kadmin/changepw
kadmin/hydra.example.com
krbtgt/EXAMPLE.COM
root/admin\@EXAMPLE.COM

Comment 2 Jason DeTiberus 2014-08-21 21:15:20 UTC
I just tried to reproduce this and was unable to get the error.  If you still have your reproducer around I'd like to poke around a bit to see what is going on.  

That said, I think the issue with your reproducer may be different than the one the customer is having.  The customer's issue appears to be that the service principle fqdn does not match the fqdn they are using to access the service.  In the customer's broker and console configs they have KrbServiceName HTTP/nr1dlvose001.gcs.frb.org.FRB.ORG

so unless they are using https://nr1dlvose001.gcs.frb.org/{broker,console} to access the broker or console, GSSAPI auth will fail.

I can replicate this on my host (an all-in-one install that has {broker,node}.ose21z.example.com defined with KrbServiceName HTTP/broker.ose21z.example.com), using broker.ose21z.example.com as the fqdn with gssapi works, but fails when using node.ose21z.example.com as the fqdn.

Comment 7 Jason DeTiberus 2014-08-26 09:07:39 UTC
I'm going to go ahead and close this ticket.  Please reopen if the issue still exists after verifying that the FQDN to access the service matches the FQDN configured in the HTTP service principal.

Comment 8 Eric Rich 2014-09-15 20:57:48 UTC
It looks like the only tool that does not support his is RHC for linux systems (I think it works on windows systems but have not confirmed). 

Curl and SSH for negotiation seem to work, using GSSAPI authentication.

Comment 9 Jason DeTiberus 2014-09-15 21:20:02 UTC
The kerberos support for RHC is tied into the use of httpclient ruby gem (http://www.ruby-doc.org/gems/docs/h/httpclient-2.4.0/HTTPClient/SSPINegotiateAuth.html), the kerberos negotiation feature is only supported under Windows.

This is something that we are looking at potentially for the 3.0.z or 3.x timeframe, but will probably not impliment for 2.x.