Bug 1941997 - [External Authentication] External auth login using Kerberos SSO is failing for AD on Satellite 6.9
Summary: [External Authentication] External auth login using Kerberos SSO is failing f...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Authentication
Version: 6.9.0
Hardware: All
OS: All
unspecified
low vote
Target Milestone: 6.10.0
Assignee: Ondřej Ezr
QA Contact: Omkar Khatavkar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-23 11:38 UTC by Omkar Khatavkar
Modified: 2021-11-16 14:10 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-16 14:10:29 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 32208 0 Normal New Kerberos url is not matched with trailing slash 2021-03-25 14:03:28 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:10:42 UTC

Description Omkar Khatavkar 2021-03-23 11:38:48 UTC
Description of problem:
[Authentication] External auth login using Kerberos SSO is failing for AD on Satellite

Version-Release number of selected component (if applicable):
Satellite 6.9 Snap 18

How reproducible:
Always

Steps to Reproduce:
1.Configure the External Auth to Satellite mentioned on the link 

https://access.redhat.com/documentation/en-us/red_hat_satellite/6.8/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-configuring_external_authentication#sect-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Configuring_External_Authentication-Using_Active_Directory

2.Get the Kerberos Ticket 
 
3. try curl -k -u: --negotiate https://satelliteexample.com/users/extlogin/


Actual results:

The user is redirected to the login page again and Satellite not able to validate the ticket details e.g. 

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/

<<< stdout
<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body>



Expected results:

User should be redirected to profile page e.g

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/

<<< stdout
<html><body>You are being <a href="https://satellite.example.com/users/8-foobar/edit">redirected</a>.</body></html> 

Additional info:

This was working last verified for Bugzilla 
https://bugzilla.redhat.com/show_bug.cgi?id=1905400

Comment 8 Ondřej Ezr 2021-03-25 13:36:37 UTC
Hi,

The issue is, that you are using

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/

instead you need leave out the trailing slash

>>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin


This is a simply issue of our exact match in apache and trailing backslash.
We are using this for the kerberos endpoint configuration:

```
<LocationMatch ^/users/(ext)?login$>
```

And that is not matched with the trailing slash.

Comment 11 Bryan Kearney 2021-03-25 16:01:34 UTC
Upstream bug assigned to oezr@redhat.com

Comment 12 Bryan Kearney 2021-03-25 16:01:36 UTC
Upstream bug assigned to oezr@redhat.com

Comment 13 Omkar Khatavkar 2021-03-30 12:31:30 UTC
Brad, the Same issue exists in Satellite 6.8.5 latest snap.

Comment 14 Jonathan Liedy 2021-04-21 18:29:37 UTC
Can confirm this is an issue in 6.8.6 regardless of the trailing slash on the URL.

[redacted]# curl -k -u : --negotiate https://redacted/users/extlogin/
<html><body>You are being <a href="https://redacted/users/login">redirected</a>.</body></html>
[redacted]# curl -k -u : --negotiate https://redacted/users/extlogin
<html><body>You are being <a href="https://redacted/users/login">redirected</a>.</body></html>

Comment 15 Ondřej Ezr 2021-05-04 18:25:45 UTC
Jonathan, this can even mean Kerberos did work.
If it didn't we would need more details about your setup, to figure out where your issue is.
Cause of the reported issue in this BZ was strictly the use of trailing slash, apart of it the Kerberos worked on the setup.

Comment 19 errata-xmlrpc 2021-11-16 14:10:29 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702


Note You need to log in before you can comment on or make changes to this bug.