This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 433054 - when a browser is pointed to the IP (or incomplete name) of the IPA server kerberos authentication fails
when a browser is pointed to the IP (or incomplete name) of the IPA server ke...
Status: CLOSED ERRATA
Product: freeIPA
Classification: Community
Component: ipa-server (Show other bugs)
1.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Rob Crittenden
Chandrasekar Kannan
:
Depends On:
Blocks: 429034
  Show dependency treegraph
 
Reported: 2008-02-15 16:34 EST by Michael Gregg
Modified: 2015-01-04 18:30 EST (History)
1 user (show)

See Also:
Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-27 03:14:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
redirect users on both SSL and non-SSL ports (6.41 KB, patch)
2008-02-21 16:26 EST, Rob Crittenden
no flags Details | Diff

  None (edit)
Description Michael Gregg 2008-02-15 16:34:39 EST
Description of problem:
when a browser is pointed to the IP(or incomplete name) of the IPA server 
kerberos authentication fails

How reproducible:
point a fully configured ipa client at a IPA server, specifiying the IP of the 
server or the name of the server instead of the correct FQDN
ie. point it at https://server instead of https://
server.full.fqdn.seems.unessary.to.type.com

Actual results:
Kerberos authentication failed.

Expected results:
A web page suggesting that you goto the correct URL, or a error message better 
than "kerberos authentication failed". Something liek Kerberor authentication 
failed because server key name doesn't match URL in address bar.
Possibly the key gets created with the ip and shortened names defined within, 
so going to https://server or https://<ip of server> works.
Comment 1 Rob Crittenden 2008-02-15 19:27:10 EST
Can you attach your /etc/httpd/conf.d/ipa.conf?
Comment 2 Michael Gregg 2008-02-15 19:57:12 EST
client ipa.conf:
[defaults]
server = iparhel5-64vm.dsqa.sjc2.redhat.com
realm = DSQA.SJC2.REDHAT.COM


server ipa.conf:
[defaults]
server=iparhel5-64vm.dsqa.sjc2.redhat.com
realm=DSQA.SJC2.REDHAT.COM

client's resolv.conf:
search DSQA.SJC2.REDHAT.COM
nameserver 10.14.0.132

10.14.0.132 is the IP of the server. 

I can set up a test enviroment for you to try this yourself if you'd like.
Comment 3 Michael Gregg 2008-02-15 20:02:31 EST
I didn't really read your request did I?

/etc/httpd/conf.d/ipa.conf is:
# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off

RewriteEngine on

# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}    !^iparhel5-64vm.dsqa.sjc2.redhat.com$ [NC]
RewriteRule ^/(.*)          http://iparhel5-64vm.dsqa.sjc2.redhat.com/$1 [L,R=301]

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT}  !^443$
RewriteCond %{REQUEST_URI}  !^/(errors|config|favicon.ico)
RewriteRule ^/(.*)          https://iparhel5-64vm.dsqa.sjc2.redhat.com/$1
[L,R=301,NC]

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive        jar

<Proxy *>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms DSQA.SJC2.REDHAT.COM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
  RewriteEngine on
  Order deny,allow
  Allow from all

  # We create a subrequest to find REMOTE_USER. Don't do this for every
  # subrequest too (slow and huge logs result)
  RewriteCond %{IS_SUBREQ}% false
  RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
  RequestHeader set X-Forwarded-User %{RU}e
  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e

  # RequestHeader unset Authorization
</Proxy>

# The URI's with a trailing ! are those that aren't handled by the proxy
ProxyPass /cgi-bin !
ProxyPass /errors !
ProxyPass /config !
ProxyPass /ipa !
#ProxyPass /ipatest !
ProxyPass / http://localhost:8080/
ProxyPassReverse /cgi-bin !
ProxyPassReverse /errors !
ProxyPassReverse /config !
ProxyPassReverse /ipa !
#ProxyPassReverse /ipatest !
ProxyPassReverse / http://localhost:8080/

# Configure the XML-RPC service

Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
Alias /errors "/usr/share/ipa/html"
Alias /config "/usr/share/ipa/html"

<Directory "/usr/share/ipa/ipaserver">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms DSQA.SJC2.REDHAT.COM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html

  SetHandler mod_python
  PythonHandler ipaxmlrpc
  
  PythonDebug Off

  PythonOption IPADebug Off

  # this is pointless to use since it would just reload ipaxmlrpc.py
  PythonAutoReload Off
</Directory>

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>

# Protect our CGIs
<Directory /var/www/cgi-bin>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms DSQA.SJC2.REDHAT.COM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
</Directory>

#Alias /ipatest "/usr/share/ipa/ipatest"

#<Directory "/usr/share/ipa/ipatest">
#  AuthType Kerberos
#  AuthName "Kerberos Login"
#  KrbMethodNegotiate on
#  KrbMethodK5Passwd off
#  KrbServiceName HTTP
#  KrbAuthRealms DSQA.SJC2.REDHAT.COM
#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
#  KrbSaveCredentials on
#  Require valid-user
#  ErrorDocument 401 /errors/unauthorized.html
#
#  SetHandler mod_python
#  PythonHandler test_mod_python
#  
#  PythonDebug Off
#
#</Directory>
Comment 4 Rob Crittenden 2008-02-15 20:16:50 EST
Ok. We do name fixing when one goes to the http:// port but not https://. Some
more mod_rewrite rules are required.
Comment 5 Rob Crittenden 2008-02-21 16:26:02 EST
Created attachment 295559 [details]
redirect users on both SSL and non-SSL ports

make the rewrite rules a separate configuration that is included in ipa.conf
and mod_nss.conf
Comment 6 Rob Crittenden 2008-02-21 22:32:21 EST
Committed in changeset 674
Comment 7 Yi Zhang 2008-05-22 13:55:07 EDT
QA Verified on May 22, 2008 (Yi)

Build used: May 22, 2008 (x64)

The actual fix, as of today, is below:

server64[05/22/24 10:40] pwd
/etc/httpd/conf.d
server64[05/22/24 10:41] grep "RewriteRule" *
ipa-rewrite.conf:RewriteRule ^/$ https://server64.ipaqa.com/ipa/ui [L,NC,R=301]
ipa-rewrite.conf:RewriteRule ^/(.*)          http://server64.ipaqa.com/$1 [L,R=301]
ipa-rewrite.conf:RewriteRule ^/(.*)          https://server64.ipaqa.com/$1
[L,R=301,NC]

Note You need to log in before you can comment on or make changes to this bug.