Bug 490593 - If RHEL ES4 krb5 support credential delegation like windows 2003 AD
If RHEL ES4 krb5 support credential delegation like windows 2003 AD
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5 (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Depends On:
  Show dependency treegraph
Reported: 2009-03-17 03:26 EDT by JackQA
Modified: 2009-03-17 14:04 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-17 14:04:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description JackQA 2009-03-17 03:26:51 EDT
Description of problem:
I want to enable credential delegation in RHEL ES4 krb5 just like in Windows 2003 Active Directory server Delegation tab, but I can not find the way to configure it. If RHEL ES 4 support credential delegation in RHEL ES4 and how to configure and enable it?

Version-Release number of selected component (if applicable):
#cat /etc/issue
Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
Kernel \r on an \m
#uname -a
Linux linuxclient 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:58:04 EST 2007 i686 i686 i386 GNU/Linux

How reproducible:

Steps to Reproduce:
For RHEL ES4, Firefox version is, I configures following steps to enable SPNEGO, but when I browse our server, server log will always show credential delegation error.
1.Edit /etc/krb5.conf and specify the kerberos realm and kdc. And run command #system-config-authentication to select kerberos authentication and input kerver kdc settings.
2.Open Firefox and go to the about:config URL and change:
  network.negotiate-auth.trusted-uris to include the web server's domain name (eg. "office.lan')
  network.negotiate-auth.using-native-gsslib to false
  network.negotiate-auth.gsslib to '/usr/lib/libgssapi_krb5.so.2' 
3.Then close Firefox and run kinit to get TGT, then open firefox again, browse server, the server log will show credential delegation error and firefox will show This request requires HTTP authentication().
Actual results:

Expected results:
There need no login, and I could access web page directly.

Additional info:
Comment 1 Nalin Dahyabhai 2009-03-17 14:04:22 EDT
To have the web server authenticate clients using Kerberos, you need to install and configure the mod_auth_kerb package.

The default configuration file (/etc/httpd/conf.d/auth_kerb.conf) included in the package includes a commented-out example configuration, and you'll also need to create a keytab file which the httpd process can read and which contains the key for the service.  Running all of this over SSL is strongly recommended.

This appears to be a support request, and as bugzilla is not an avenue for technical assistance or support, I'm going to close this and mark it as not-a-bug.  The welcome section at http://bugzilla.redhat.com/ suggests some alternate avenues for support; I encourage you to ask there.

Note You need to log in before you can comment on or make changes to this bug.