Hide Forgot
+++ This bug was initially created as a clone of Bug #1317019 +++ Description of problem: When mod_auth_mellon package is installed to a working Apache HTTP Server with Kerberos authentication, the Kerberos authentication stops working even if mod_auth_mellon was not configured in any way. Version-Release number of selected component (if applicable): mod_auth_mellon-0.8.0-4.el6.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Have Apache HTTP Server configured with mod_auth_kerb. 2. Verify that kinit as some user and curl -Lksi --negotiate -u : returns 401 and then 200, something like # curl -Lksi --negotiate -u : https://$(hostname)/application/login HTTP/1.1 401 Authorization Required Date: Fri, 11 Mar 2016 17:23:37 GMT Server: Apache/2.2.15 (Red Hat) WWW-Authenticate: Negotiate Content-Length: 127 Connection: close Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 200 OK Date: Fri, 11 Mar 2016 17:23:37 GMT Server: Apache/2.2.15 (Red Hat) Pragma: no-cache Refresh: 3; URL=/application Set-Cookie: the-test-cookie=ok:Robert Chase (bob23557: bob23557); path=/application Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 3. Run yum install -y mod_auth_mellon 4. Run service httpd restart 5. Rerun that curl --negotiate -u : command. Actual results: # curl -Lksi --negotiate -u : https://$(hostname)/application/login HTTP/1.1 401 Authorization Required Date: Fri, 11 Mar 2016 17:23:57 GMT Server: Apache/2.2.15 (Red Hat) Content-Length: 127 Connection: close Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html> Expected results: As before mod_auth_mellon was installed -- 401 with WWW-Authenticate: Negotiate and then 200. Additional info: --- Additional comment from Jan Pazdziora on 2016-03-11 18:36:48 CET --- My estimate is that the problem is caused by mod_auth_mellon's am_check_uid function. It does not check at all whether MellonEnable is enabled on that location. Normally it does not matter because ap_run_check_user_id in httpd-2.2's ap_process_request_internal is not run unless if (ap_some_auth_required(r)) { is true. Which normally is not but on locations where Kerberos (or Basic) HTTP Auth is enabled, this condition is met even if we did not configure/enable mod_auth_mellon in any way. --- Additional comment from Jan Pazdziora on 2016-03-11 18:38:49 CET --- RFC 2616 says 10.4.2 401 Unauthorized The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.47) containing a challenge applicable to the requested resource. mod_auth_mellon's use of HTTP_UNAUTHORIZED is a violation of the RFC all by itself because it does not implement HTTP Auth. --- Additional comment from Jan Pazdziora on 2016-03-11 18:41:01 CET --- The problem is present on RHEL 7 as well. On RHEL 6 it's just a little bit more obvious because of the naming of the configuration files -- mod_auth_mellon is loaded before mod_auth_kerb on RHEL 6, triggering the issue more easily. --- Additional comment from Simo Sorce on 2016-03-14 15:00:02 CET --- John, do you think you have b/w to look at this ?
On RHEL 7, merely installing the package will not break things because the order of the modules is captured in conf.modules.d. But the fact that mod_auth_mellon uses 401 where it shouldn't is still there.
Please see bug #1317019 from which this bug was cloned for a discussion of separate issue of the return code.
Verified. Version :: mod_auth_mellon-0.11.0-2.el7.x86_64 Results :: # Because of module install order, I had to tweak the location of mod_auth_mellon include for apache to reproduce the problem # Reproduced here: [root@vm3 conf.modules.d]# rpm -q mod_auth_mellon mod_auth_mellon-0.11.0-1.el7.x86_64 [root@vm3 conf.modules.d]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: bob123 Valid starting Expires Service principal 09/19/2016 12:30:44 09/20/2016 12:30:36 HTTP/vm3.example.com 09/19/2016 12:30:36 09/20/2016 12:30:36 krbtgt/EXAMPLE.COM [root@vm3 conf.modules.d]# ln -s /etc/httpd/conf.modules.d/10-auth_mellon.conf /etc/httpd/conf.modules.d/09-auth_mellon.conf [root@vm3 conf.modules.d]# curl -Lksi --negotiate -u : https://$( hostname ):8443/application/login --cacert /etc/httpd/alias/ca.crt HTTP/1.1 401 Unauthorized Date: Mon, 19 Sep 2016 17:42:28 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC Content-Length: 127 Content-Type: text/html; charset=iso-8859-1 <html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>[root@vm3 conf.modules.d]# # confirmed fixed: [root@vm3 conf.modules.d]# yum update mod_auth_mellon Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package mod_auth_mellon.x86_64 0:0.11.0-1.el7 will be updated ---> Package mod_auth_mellon.x86_64 0:0.11.0-2.el7 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================= Package Arch Version Repository Size ======================================================================================================= Updating: mod_auth_mellon x86_64 0.11.0-2.el7 rhel-7.3-candidate 74 k Transaction Summary ======================================================================================================= Upgrade 1 Package Total download size: 74 k Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. mod_auth_mellon-0.11.0-2.el7.x86_64.rpm | 74 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : mod_auth_mellon-0.11.0-2.el7.x86_64 1/2 Cleanup : mod_auth_mellon-0.11.0-1.el7.x86_64 2/2 Verifying : mod_auth_mellon-0.11.0-2.el7.x86_64 1/2 Verifying : mod_auth_mellon-0.11.0-1.el7.x86_64 2/2 Updated: mod_auth_mellon.x86_64 0:0.11.0-2.el7 Complete! [root@vm3 conf.modules.d]# systemctl restart httpd [root@vm3 conf.modules.d]# curl -Lksi --negotiate -u : https://$( hostname ):8443/application/login --cacert /etc/httpd/alias/ca.crt HTTP/1.1 401 Unauthorized Date: Mon, 19 Sep 2016 17:45:35 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC WWW-Authenticate: Negotiate Content-Length: 127 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 200 OK Date: Mon, 19 Sep 2016 17:45:35 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvo1d3R6yDrIFaFZdLhpsCWZ4Pch+1FbDeN2qjctGmquNZ3dbpa3gqEs9J4fbyQDqr7y8PIhmW8KL2CuuNWQj0dDr9Jywui1cgse/s/kA58DLBnTyqvVzB5ej+2CE0Vl5xN+0OaRrz0JQP3SwbKRaR Pragma: no-cache Content-Length: 2167 Content-Type: text/html; charset=UTF-8 <html> <head> <title>Log in to application</title> </head> <body> <h1>Log in to application</h1> <p> <form method="POST"> <dl> <dt>Login:</dt> <dd><input type="text" name="login" value="" /> <dt>Password:</dt> <dd><input type="password" name="password" /> <dt><input type="submit" name="go" value="Log in" /></dt> </dl> </form> </p> <hr/> <p><a href="/application">Back to application</a></p> <!-- <hr/> <pre>AUTH_TYPE=Negotiate CONTEXT_DOCUMENT_ROOT=/var/www/app.cgi CONTEXT_PREFIX=/application DOCUMENT_ROOT=/var/www/html GATEWAY_INTERFACE=CGI/1.1 HTTPS=on HTTP_ACCEPT=*/* HTTP_HOST=vm3.example.com:8443 HTTP_USER_AGENT=curl/7.29.0 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin PATH_INFO=/login PATH_TRANSLATED=/var/www/html/login QUERY_STRING= REMOTE_ADDR=192.168.122.153 REMOTE_PORT=51892 REMOTE_USER=bob123 REQUEST_METHOD=GET REQUEST_SCHEME=https REQUEST_URI=/application/login SCRIPT_FILENAME=/var/www/app.cgi SCRIPT_NAME=/application SERVER_ADDR=192.168.122.153 SERVER_ADMIN=root@localhost SERVER_NAME=vm3.example.com SERVER_PORT=8443 SERVER_PROTOCOL=HTTP/1.1 SERVER_SIGNATURE= SERVER_SOFTWARE=Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 mod_nss/1.0.14 NSS/3.21 Basic ECC SSL_CIPHER=AES-256 SSL_CIPHER_ALGKEYSIZE=256 SSL_CIPHER_EXPORT=false SSL_CIPHER_NAME=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA SSL_CIPHER_USEKEYSIZE=256 SSL_CLIENT_VERIFY=NONE SSL_PROTOCOL=TLSv1.2 SSL_SECURE_RENEG=false SSL_SERVER_A_KEY=ECDHE_RSA SSL_SERVER_A_SIG=SHA1-RSA SSL_SERVER_I_DN=CN=Certificate Authority,O=EXAMPLE.COM SSL_SERVER_I_DN_CN=Certificate Authority SSL_SERVER_I_DN_O=EXAMPLE.COM SSL_SERVER_M_SERIAL=12 SSL_SERVER_M_VERSION=3 SSL_SERVER_S_DN=CN=vm3.example.com,O=EXAMPLE.COM SSL_SERVER_S_DN_CN=vm3.example.com SSL_SERVER_S_DN_O=EXAMPLE.COM SSL_SERVER_V_END=Sep 20 17:27:31 2018 GMT SSL_SERVER_V_START=Sep 19 17:27:31 2016 GMT SSL_SESSION_ID=CMiGlmXoekOOZ+SrHTy9S5xq/IQd2ToHfiD0/YTs6nU= SSL_TLS_SNI=vm3.example.com SSL_VERSION_INTERFACE=mod_nss/1.0.14 SSL_VERSION_LIBRARY=NSS/3.21 Basic ECC UNIQUE_ID=V@AkP3U-ZSUCLS1ga-ng0QAAAAQ </pre> --> </body> </html> [root@vm3 conf.modules.d]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2461.html