Description of problem: [Authentication] External auth login using Kerberos SSO is failing for AD on Satellite Version-Release number of selected component (if applicable): Satellite 6.9 Snap 18 How reproducible: Always Steps to Reproduce: 1.Configure the External Auth to Satellite mentioned on the link https://access.redhat.com/documentation/en-us/red_hat_satellite/6.8/html/administering_red_hat_satellite/chap-red_hat_satellite-administering_red_hat_satellite-configuring_external_authentication#sect-Red_Hat_Satellite-Administering_Red_Hat_Satellite-Configuring_External_Authentication-Using_Active_Directory 2.Get the Kerberos Ticket 3. try curl -k -u: --negotiate https://satelliteexample.com/users/extlogin/ Actual results: The user is redirected to the login page again and Satellite not able to validate the ticket details e.g. >>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/ <<< stdout <html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body> Expected results: User should be redirected to profile page e.g >>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/ <<< stdout <html><body>You are being <a href="https://satellite.example.com/users/8-foobar/edit">redirected</a>.</body></html> Additional info: This was working last verified for Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1905400
Hi, The issue is, that you are using >>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin/ instead you need leave out the trailing slash >>> curl -k -u : --negotiate https://satellite.example.com/users/extlogin This is a simply issue of our exact match in apache and trailing backslash. We are using this for the kerberos endpoint configuration: ``` <LocationMatch ^/users/(ext)?login$> ``` And that is not matched with the trailing slash.
Upstream bug assigned to oezr
Brad, the Same issue exists in Satellite 6.8.5 latest snap.
Can confirm this is an issue in 6.8.6 regardless of the trailing slash on the URL. [redacted]# curl -k -u : --negotiate https://redacted/users/extlogin/ <html><body>You are being <a href="https://redacted/users/login">redirected</a>.</body></html> [redacted]# curl -k -u : --negotiate https://redacted/users/extlogin <html><body>You are being <a href="https://redacted/users/login">redirected</a>.</body></html>
Jonathan, this can even mean Kerberos did work. If it didn't we would need more details about your setup, to figure out where your issue is. Cause of the reported issue in this BZ was strictly the use of trailing slash, apart of it the Kerberos worked on the setup.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702