1343422 – [RFE] Add GssapiImpersonate option

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1343422 - [RFE] Add GssapiImpersonate option

Summary: [RFE] Add GssapiImpersonate option

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_auth_gssapi
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Simo Sorce
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	1346883
Blocks:	1317377 1317379 1366572 1402820
TreeView+	depends on / blocked

Reported:	2016-06-07 10:07 UTC by Simo Sorce
Modified:	2017-03-14 11:49 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:54:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Simo Sorce 2016-06-07 10:07:46 UTC

This option is required by the upcoming IdM (ipa-server) release

Comment 1 Petr Vobornik 2016-06-07 10:36:07 UTC

I'll add more info, from pull request<https://github.com/modauthgssapi/mod_auth_gssapi/pull/87/commits/03d965e57abddc0eed2b4987c866b049921d06d7>:

"""
### GssapiImpersonate

This option can be used even if AuthType GSSAPI is not used for given
Location or LocationMatch, to obtain service ticket for a user that was
already authenticated by different module.

The principal of the user is retrieved from the internal r->user
identifier which typically holds the username from the authentication
results.

Make sure the server principal is set to allow to acquire forwardable
tickets to itself from arbitrary users, for use with constrained
delegation, for example with the option +ok_to_auth_as_delegate.

- **Enable with:** GssapiImpersonate On
- **Default:** GssapiImpersonate Off
"""

It is needed for bug 1317377 - IdM,  Web UI: allow Federated authentication.

Comment 3 Martin Kosek 2016-06-07 11:01:26 UTC

Link to Pull Request:
https://github.com/modauthgssapi/mod_auth_gssapi/pull/87/commits/03d965e57abddc0eed2b4987c866b049921d06d7

Comment 7 Kaleem 2016-08-29 10:04:21 UTC

Please provide steps to verify this.

Comment 8 Jan Pazdziora (Red Hat) 2016-08-29 11:15:21 UTC

I could likely be tested as part of the smart card / x509 feature testing:

http://www.freeipa.org/page/V4/External_Authentication/Setup

Comment 9 Simo Sorce 2016-08-29 14:48:21 UTC

Please see the page Jan posted.

Comment 10 Scott Poore 2016-09-22 14:30:18 UTC

FYI, I do see that option on an IPA server being used for testing IPA Web UI authentication with smart cards.



[root@auto-hv-02-guest07 ~]# cd /etc/httpd/conf.d

[root@auto-hv-02-guest07 conf.d]# ls
autoindex.conf      ipa-rewrite.conf      userdir.conf
ipa.conf            lookup_identity.conf  welcome.conf
ipa-kdc-proxy.conf  nss.conf              xx-ipa-experimental-x509-auth.conf
ipa-pki-proxy.conf  README

[root@auto-hv-02-guest07 conf.d]# grep -i gssapiimpersonate *
xx-ipa-experimental-x509-auth.conf:  GssapiImpersonate On

Comment 11 Roshni 2016-09-22 14:33:34 UTC

[root@dhcp129-34 ~]# rpm -qi ipa-server
Name        : ipa-server
Version     : 4.4.0
Release     : 12.el7
Architecture: x86_64
Install Date: Wed 21 Sep 2016 12:16:46 PM EDT
Group       : System Environment/Base
Size        : 1019056
License     : GPLv3+
Signature   : (none)
Source RPM  : ipa-4.4.0-12.el7.src.rpm
Build Date  : Fri 16 Sep 2016 05:23:17 AM EDT
Build Host  : x86-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Followed the instruction in the document in comment 8. The certificate on the card was issued by an external CA and the CA was trusted on the browser. The token was loaded on the browser. Password was set for the ipa user, su to the user prompted for new password as the password had expired. Login to IPA web UI using the smartcard pin was successful

Comment 12 Roshni 2016-09-22 14:34:50 UTC

[root@dhcp129-34 ~]# rpm -qi mod_auth_gssapi
Name        : mod_auth_gssapi
Version     : 1.4.0
Release     : 1.el7
Architecture: x86_64
Install Date: Wed 21 Sep 2016 12:16:21 PM EDT
Group       : System Environment/Daemons
Size        : 137027
License     : MIT
Signature   : RSA/SHA256, Wed 27 Jul 2016 11:19:04 AM EDT, Key ID 938a80caf21541eb
Source RPM  : mod_auth_gssapi-1.4.0-1.el7.src.rpm
Build Date  : Tue 21 Jun 2016 10:00:58 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/modauthgssapi/mod_auth_gssapi
Summary     : A GSSAPI Authentication module for Apache

the above build was used for verification

Comment 14 errata-xmlrpc 2016-11-04 05:54:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.