Description of problem: when a browser is pointed to the IP(or incomplete name) of the IPA server kerberos authentication fails How reproducible: point a fully configured ipa client at a IPA server, specifiying the IP of the server or the name of the server instead of the correct FQDN ie. point it at https://server instead of https:// server.full.fqdn.seems.unessary.to.type.com Actual results: Kerberos authentication failed. Expected results: A web page suggesting that you goto the correct URL, or a error message better than "kerberos authentication failed". Something liek Kerberor authentication failed because server key name doesn't match URL in address bar. Possibly the key gets created with the ip and shortened names defined within, so going to https://server or https://<ip of server> works.
Can you attach your /etc/httpd/conf.d/ipa.conf?
client ipa.conf: [defaults] server = iparhel5-64vm.dsqa.sjc2.redhat.com realm = DSQA.SJC2.REDHAT.COM server ipa.conf: [defaults] server=iparhel5-64vm.dsqa.sjc2.redhat.com realm=DSQA.SJC2.REDHAT.COM client's resolv.conf: search DSQA.SJC2.REDHAT.COM nameserver 10.14.0.132 10.14.0.132 is the IP of the server. I can set up a test enviroment for you to try this yourself if you'd like.
I didn't really read your request did I? /etc/httpd/conf.d/ipa.conf is: # LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off RewriteEngine on # Redirect to the fully-qualified hostname. Not redirecting to secure # port so configuration files can be retrieved without requiring SSL. RewriteCond %{HTTP_HOST} !^iparhel5-64vm.dsqa.sjc2.redhat.com$ [NC] RewriteRule ^/(.*) http://iparhel5-64vm.dsqa.sjc2.redhat.com/$1 [L,R=301] # Redirect to the secure port if not displaying an error or retrieving # configuration. RewriteCond %{SERVER_PORT} !^443$ RewriteCond %{REQUEST_URI} !^/(errors|config|favicon.ico) RewriteRule ^/(.*) https://iparhel5-64vm.dsqa.sjc2.redhat.com/$1 [L,R=301,NC] # This is required so the auto-configuration works with Firefox 2+ AddType application/java-archive jar <Proxy *> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms DSQA.SJC2.REDHAT.COM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on Require valid-user ErrorDocument 401 /errors/unauthorized.html RewriteEngine on Order deny,allow Allow from all # We create a subrequest to find REMOTE_USER. Don't do this for every # subrequest too (slow and huge logs result) RewriteCond %{IS_SUBREQ}% false RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}] RequestHeader set X-Forwarded-User %{RU}e RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e # RequestHeader unset Authorization </Proxy> # The URI's with a trailing ! are those that aren't handled by the proxy ProxyPass /cgi-bin ! ProxyPass /errors ! ProxyPass /config ! ProxyPass /ipa ! #ProxyPass /ipatest ! ProxyPass / http://localhost:8080/ ProxyPassReverse /cgi-bin ! ProxyPassReverse /errors ! ProxyPassReverse /config ! ProxyPassReverse /ipa ! #ProxyPassReverse /ipatest ! ProxyPassReverse / http://localhost:8080/ # Configure the XML-RPC service Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" Alias /errors "/usr/share/ipa/html" Alias /config "/usr/share/ipa/html" <Directory "/usr/share/ipa/ipaserver"> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms DSQA.SJC2.REDHAT.COM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on Require valid-user ErrorDocument 401 /errors/unauthorized.html SetHandler mod_python PythonHandler ipaxmlrpc PythonDebug Off PythonOption IPADebug Off # this is pointless to use since it would just reload ipaxmlrpc.py PythonAutoReload Off </Directory> # Do no authentication on the directory that contains error messages <Directory "/usr/share/ipa/html"> AllowOverride None Satisfy Any Allow from all </Directory> # Protect our CGIs <Directory /var/www/cgi-bin> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms DSQA.SJC2.REDHAT.COM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on Require valid-user ErrorDocument 401 /errors/unauthorized.html </Directory> #Alias /ipatest "/usr/share/ipa/ipatest" #<Directory "/usr/share/ipa/ipatest"> # AuthType Kerberos # AuthName "Kerberos Login" # KrbMethodNegotiate on # KrbMethodK5Passwd off # KrbServiceName HTTP # KrbAuthRealms DSQA.SJC2.REDHAT.COM # Krb5KeyTab /etc/httpd/conf/ipa.keytab # KrbSaveCredentials on # Require valid-user # ErrorDocument 401 /errors/unauthorized.html # # SetHandler mod_python # PythonHandler test_mod_python # # PythonDebug Off # #</Directory>
Ok. We do name fixing when one goes to the http:// port but not https://. Some more mod_rewrite rules are required.
Created attachment 295559 [details] redirect users on both SSL and non-SSL ports make the rewrite rules a separate configuration that is included in ipa.conf and mod_nss.conf
Committed in changeset 674
QA Verified on May 22, 2008 (Yi) Build used: May 22, 2008 (x64) The actual fix, as of today, is below: server64[05/22/24 10:40] pwd /etc/httpd/conf.d server64[05/22/24 10:41] grep "RewriteRule" * ipa-rewrite.conf:RewriteRule ^/$ https://server64.ipaqa.com/ipa/ui [L,NC,R=301] ipa-rewrite.conf:RewriteRule ^/(.*) http://server64.ipaqa.com/$1 [L,R=301] ipa-rewrite.conf:RewriteRule ^/(.*) https://server64.ipaqa.com/$1 [L,R=301,NC]