1567223 – Downgrade mod_auth_gssapi missing auth headers from ERROR to INFO

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1567223 - Downgrade mod_auth_gssapi missing auth headers from ERROR to INFO

Summary: Downgrade mod_auth_gssapi missing auth headers from ERROR to INFO

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	mod_auth_gssapi
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	anuja
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1788833
TreeView+	depends on / blocked

Reported:	2018-04-13 15:21 UTC by David Mulford
Modified:	2023-12-15 16:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:	mod_auth_gssapi-1.5.1-7.el7
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-09-29 20:09:26 UTC
Target Upstream Version:
Embargoed:
Flags:	akrawczy: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-10644	None	None	None	2023-12-15 16:06:04 UTC
Red Hat Knowledge Base (Solution)	4196241	Troubleshoot	None	mod_auth_gssapi error logging is too verbose	2019-06-04 13:23:06 UTC
Red Hat Product Errata	RHBA-2020:3962	None	None	None	2020-09-29 20:09:30 UTC

Description David Mulford 2018-04-13 15:21:16 UTC

mod_auth_gssapi reports the following log message as an error.

[auth_gssapi:error]  NO AUTH DATA Client did not send any authentication headers

Upstream has downgraded this to an INFO message.

GitHub Issue: https://github.com/modauthgssapi/mod_auth_gssapi/issues/155
Commit: https://github.com/modauthgssapi/mod_auth_gssapi/commit/07b0d3c568b8086fcf1558e9b1745df99bb15081

This is causing the error log to become flooded with these log messages making it difficult to find any actual errors that may be happening.


Version-Release number of selected component (if applicable):
- httpd-2.4.6-67.el7_4.6.x86_64
- mod_auth_gssapi

How reproducible:
Always


Steps to Reproduce:
1. Install httpd and mod_auth_gssapi packages
2. Configure auth_gssapi for Kerberos auth
3. View the httpd error logs

Actual results:
Errors logs flooded with the log messages.

Expected results:
Logs should not be flooded with the log messages when LogLevel is set to warn.

Comment 16 anuja 2020-04-28 07:12:07 UTC

Reproduced using : 
mod_auth_gssapi-1.5.1-2.el7.x86_64
httpd-2.4.6-67.el7_4.6.x86_64

Reproduced wiith steps:
1. Install httpd and mod_auth_gssapi packages
2. Configure auth_gssapi for Kerberos auth
--------------------------------------------------------------------------------------------

[root@client1 ~]#  curl -i --negotiate -u : http://$( hostname )/mywebapp/index.html
HTTP/1.1 401 Unauthorized
Date: Fri, 24 Apr 2020 08:55:25 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1
WWW-Authenticate: Negotiate
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 24 Apr 2020 08:55:25 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvDRHKm+xN5iAXlvQ3ayqKzPXCYjkT8zoenz6JQAAI/6gSLcvEVi+HRhFbWKhLA5iHc6yhs3KdVAVG6O+ew+MNs4mvDMTiOaPHgSP2/6oWQkKXz3w7dFWZ5fqTZkvjIGDJpVwXT7t/VPKu30jh8cGx
Last-Modified: Fri, 24 Apr 2020 08:52:48 GMT
ETag: "13-5a4057d5b7e41"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8

TEST_MY_WEB_APP7.4
[root@client1 ~]# cat /var/log/httpd/error_log | grep "NO AUTH DATA Client did not send any authentication headers"
[Fri Apr 24 04:55:25.149755 2020] [auth_gssapi:error] [pid 4385] [client x.x.x.x:59528] NO AUTH DATA Client did not send any authentication headers
[root@client1 ~]# date
Fri Apr 24 04:55:50 EDT 2020

-----------------------------------------------------------------------------------------
Verified using latest version : 
mod_auth_gssapi-1.5.1-7.el7.x86_64
httpd-2.4.6-95.el7.x86_64
-----------------------------------------------------------------------------------------
[root@client1 ~]# curl -i --negotiate -u : http://$( hostname )/mywebapp/index.html
HTTP/1.1 401 Unauthorized
Date: Fri, 24 Apr 2020 09:02:10 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1
WWW-Authenticate: Negotiate
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 24 Apr 2020 09:02:10 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_gssapi/1.5.1
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv+NzvEZEtb1nd6ttQBAtni85HT/LdML35yKNNtlHW40HxElByGYO9obEKPd7XJfYxc2Pz71XmFjsG90+HNo5nEHuU5VrQrhWb5Z4Qn2K/UOZyEVdjfcvqJ2P7TeLtHDaEjFt/fUJCNDS0/4XYDIGl
Last-Modified: Fri, 24 Apr 2020 09:00:44 GMT
ETag: "13-5a40599b5fcdd"
Accept-Ranges: bytes
Content-Length: 19
Content-Type: text/html; charset=UTF-8

TEST_MY_WEB_APP7.9
[root@client79 ~]# cat /var/log/httpd/error_log | grep "NO AUTH DATA Client did not send any authentication headers"
[Fri Apr 24 06:41:02.161363 2020] [auth_gssapi:info] [pid 16064] [client x.x.x.x:45534] NO AUTH DATA Client did not send any authentication headers
[Fri Apr 24 06:41:09.317406 2020] [auth_gssapi:info] [pid 16066] [client x.x.x.x:45540] NO AUTH DATA Client did not send any authentication headers
[Fri Apr 24 06:42:47.071353 2020] [auth_gssapi:info] [pid 16106] [client x.x.x.x:45544] NO AUTH DATA Client did not send any authentication headers

As in fixed version the error is reported with loglevel type info.
Based on this marking this as verified.

Comment 18 errata-xmlrpc 2020-09-29 20:09:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_auth_gssapi bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3962

Note You need to log in before you can comment on or make changes to this bug.