Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1343422

Summary: [RFE] Add GssapiImpersonate option
Product: Red Hat Enterprise Linux 7 Reporter: Simo Sorce <ssorce>
Component: mod_auth_gssapiAssignee: Simo Sorce <ssorce>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: enewland, jpazdziora, ksiddiqu, mkosek, nsoman, pvoborni, rpattath, spoore, ssorce
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:54:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1346883    
Bug Blocks: 1317377, 1317379, 1366572, 1402820    

Description Simo Sorce 2016-06-07 10:07:46 UTC 
This option is required by the upcoming IdM (ipa-server) release
Comment 1 Petr Vobornik 2016-06-07 10:36:07 UTC 
I'll add more info, from pull request<https://github.com/modauthgssapi/mod_auth_gssapi/pull/87/commits/03d965e57abddc0eed2b4987c866b049921d06d7>:

"""
### GssapiImpersonate

This option can be used even if AuthType GSSAPI is not used for given
Location or LocationMatch, to obtain service ticket for a user that was
already authenticated by different module.

The principal of the user is retrieved from the internal r->user
identifier which typically holds the username from the authentication
results.

Make sure the server principal is set to allow to acquire forwardable
tickets to itself from arbitrary users, for use with constrained
delegation, for example with the option +ok_to_auth_as_delegate.

- **Enable with:** GssapiImpersonate On
- **Default:** GssapiImpersonate Off
"""

It is needed for bug 1317377 - IdM,  Web UI: allow Federated authentication.
Comment 3 Martin Kosek 2016-06-07 11:01:26 UTC 
Link to Pull Request:
https://github.com/modauthgssapi/mod_auth_gssapi/pull/87/commits/03d965e57abddc0eed2b4987c866b049921d06d7
Comment 7 Kaleem 2016-08-29 10:04:21 UTC 
Please provide steps to verify this.
Comment 8 Jan Pazdziora (Red Hat) 2016-08-29 11:15:21 UTC 
I could likely be tested as part of the smart card / x509 feature testing:

http://www.freeipa.org/page/V4/External_Authentication/Setup
Comment 9 Simo Sorce 2016-08-29 14:48:21 UTC 
Please see the page Jan posted.
Comment 10 Scott Poore 2016-09-22 14:30:18 UTC 
FYI, I do see that option on an IPA server being used for testing IPA Web UI authentication with smart cards.



[root@auto-hv-02-guest07 ~]# cd /etc/httpd/conf.d

[root@auto-hv-02-guest07 conf.d]# ls
autoindex.conf      ipa-rewrite.conf      userdir.conf
ipa.conf            lookup_identity.conf  welcome.conf
ipa-kdc-proxy.conf  nss.conf              xx-ipa-experimental-x509-auth.conf
ipa-pki-proxy.conf  README

[root@auto-hv-02-guest07 conf.d]# grep -i gssapiimpersonate *
xx-ipa-experimental-x509-auth.conf:  GssapiImpersonate On
Comment 11 Roshni 2016-09-22 14:33:34 UTC 
[root@dhcp129-34 ~]# rpm -qi ipa-server
Name        : ipa-server
Version     : 4.4.0
Release     : 12.el7
Architecture: x86_64
Install Date: Wed 21 Sep 2016 12:16:46 PM EDT
Group       : System Environment/Base
Size        : 1019056
License     : GPLv3+
Signature   : (none)
Source RPM  : ipa-4.4.0-12.el7.src.rpm
Build Date  : Fri 16 Sep 2016 05:23:17 AM EDT
Build Host  : x86-037.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Followed the instruction in the document in comment 8. The certificate on the card was issued by an external CA and the CA was trusted on the browser. The token was loaded on the browser. Password was set for the ipa user, su to the user prompted for new password as the password had expired. Login to IPA web UI using the smartcard pin was successful
Comment 12 Roshni 2016-09-22 14:34:50 UTC 
[root@dhcp129-34 ~]# rpm -qi mod_auth_gssapi
Name        : mod_auth_gssapi
Version     : 1.4.0
Release     : 1.el7
Architecture: x86_64
Install Date: Wed 21 Sep 2016 12:16:21 PM EDT
Group       : System Environment/Daemons
Size        : 137027
License     : MIT
Signature   : RSA/SHA256, Wed 27 Jul 2016 11:19:04 AM EDT, Key ID 938a80caf21541eb
Source RPM  : mod_auth_gssapi-1.4.0-1.el7.src.rpm
Build Date  : Tue 21 Jun 2016 10:00:58 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/modauthgssapi/mod_auth_gssapi
Summary     : A GSSAPI Authentication module for Apache

the above build was used for verification
Comment 14 errata-xmlrpc 2016-11-04 05:54:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html