490593 – If RHEL ES4 krb5 support credential delegation like windows 2003 AD

Bug 490593 - If RHEL ES4 krb5 support credential delegation like windows 2003 AD

Summary: If RHEL ES4 krb5 support credential delegation like windows 2003 AD

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	4.6
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-17 07:26 UTC by JackQA
Modified:	2009-03-17 18:04 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-03-17 18:04:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description JackQA 2009-03-17 07:26:51 UTC

Description of problem:
I want to enable credential delegation in RHEL ES4 krb5 just like in Windows 2003 Active Directory server Delegation tab, but I can not find the way to configure it. If RHEL ES 4 support credential delegation in RHEL ES4 and how to configure and enable it?

Version-Release number of selected component (if applicable):
#cat /etc/issue
Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
Kernel \r on an \m
#uname -a
Linux linuxclient 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:58:04 EST 2007 i686 i686 i386 GNU/Linux

How reproducible:


Steps to Reproduce:
For RHEL ES4, Firefox version is 1.5.0.12, I configures following steps to enable SPNEGO, but when I browse our server, server log will always show credential delegation error.
1.Edit /etc/krb5.conf and specify the kerberos realm and kdc. And run command #system-config-authentication to select kerberos authentication and input kerver kdc settings.
2.Open Firefox and go to the about:config URL and change:
  network.negotiate-auth.trusted-uris to include the web server's domain name (eg. "office.lan')
  network.negotiate-auth.using-native-gsslib to false
  network.negotiate-auth.gsslib to '/usr/lib/libgssapi_krb5.so.2' 
3.Then close Firefox and run kinit to get TGT, then open firefox again, browse server, the server log will show credential delegation error and firefox will show This request requires HTTP authentication().
  
Actual results:


Expected results:
There need no login, and I could access web page directly.

Additional info:

Comment 1 Nalin Dahyabhai 2009-03-17 18:04:22 UTC

To have the web server authenticate clients using Kerberos, you need to install and configure the mod_auth_kerb package.

The default configuration file (/etc/httpd/conf.d/auth_kerb.conf) included in the package includes a commented-out example configuration, and you'll also need to create a keytab file which the httpd process can read and which contains the key for the service.  Running all of this over SSL is strongly recommended.

This appears to be a support request, and as bugzilla is not an avenue for technical assistance or support, I'm going to close this and mark it as not-a-bug.  The welcome section at http://bugzilla.redhat.com/ suggests some alternate avenues for support; I encourage you to ask there.

Note You need to log in before you can comment on or make changes to this bug.