This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 970547 - Document that when running web services on IPA clients with Kerberos authentication, mod_auth_kerb returns Kerberos principal as logged user name
Document that when running web services on IPA clients with Kerberos authenti...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: doc-Identity_Management_Guide (Show other bugs)
6.4
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Deon Ballard
ecs-bugs
: Documentation, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-04 05:55 EDT by Jan Pazdziora
Modified: 2014-07-29 16:25 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 970678 (view as bug list)
Environment:
Last Closed: 2014-07-29 16:25:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Pazdziora 2013-06-04 05:55:57 EDT
Description of problem:

When you have a web service using normal basic authentication, your logins will look like "alice" and "bob". When you then enable mod_auth_kerb on that httpd server, the logged in user will be "alice@REALM.COM" and "bob@REALM.COM". Which are completely different users in that web application's database so after using SPNEGO, people will not see their data.

It is necessary to use a

   KrbLocalUserMapping On

directive which is undocumented anywhere in the mod_auth_kerb documentation beyond on line in the Changes file in the mod_auth_kerb-5.4.tar.gz:

   *implemented KrbLocalUserMapping i.e. to strip @REALM from username for further use

Version-Release number of selected component (if applicable):

Uncertain.

How reproducible:

Deterministic.

Steps to Reproduce:
1. Enable mod_auth_kerb on your web service on IPA client based on some documentation.

Actual results:

That documentation will not mention KrbLocalUserMapping.

Expected results:

That documentation should mention KrbLocalUserMapping.

Additional info:
Comment 4 Rob Crittenden 2013-06-04 10:18:52 EDT
Where do you propose documenting this? Is this more appropriate for mod_auth_kerb in the man page, for example?
Comment 5 Alexander Bokovoy 2013-06-04 10:34:20 EDT
I'm not decided on it. On one hand we should have definitely added Krb5LocalUserMapping to the list of documented options in mod_auth_kerb. On the other, the particular behavior of forcing trusted AD users to have full qualified names (name@realm) as local names is our design decision in FreeIPA and SSSD.
Comment 6 Jan Pazdziora 2013-06-04 10:55:24 EDT
For the basic documentation of that directive, I've not filed bug 970678 against mod_auth_kerb. This bugzilla should probably be used for whatever general documentation IPA has, plus for the AD user behaviour in FreeIPA/SSSD.
Comment 7 Jan Pazdziora 2013-06-04 10:55:37 EDT
For the basic documentation of that directive, I've now filed bug 970678 against mod_auth_kerb. This bugzilla should probably be used for whatever general documentation IPA has, plus for the AD user behaviour in FreeIPA/SSSD.
Comment 8 Martin Kosek 2013-06-06 06:11:10 EDT
Thanks both for discussion. Having bug against mod_auth_kerb to document the option is a good step.

From IPA side, I would just update our guide, particularly section "8.7. Using Trust with Kerberized Web Applications" in
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
and state that user credential will be in form of a full principal, i.e. "user@REALM" and point users to use KrbLocalUserMapping directive if they want to have just "user".

Moving to IPA doc guide component.
Comment 9 Ann Marie Rubin 2013-06-18 09:20:07 EDT
This has no impact on the IPA documentation (per Deon Lackey)
    Jan Pazdziora has filed a bug for the kerb team to update the man page.
Comment 10 Jan Pazdziora 2013-12-16 04:36:12 EST
Is it correct that this bugzilla was NOTABUGed? I thought we'd be adding information about the credential forman and about the KrbLocalUserMapping directive per comment 8. When was the decision made not to amend the Guide?
Comment 11 Dmitri Pal 2013-12-18 20:33:18 EST
I am not sure why it is closed. Comment 8 clearly states what needs to be done. Reopening.
Comment 13 Martin Kosek 2014-02-24 11:06:34 EST
Removing needinfo? flag. This was obviously an overlook on my side. Deon is taking care of the rest.
Comment 14 Deon Ballard 2014-07-29 16:23:00 EDT
Mass closure. These bugs were live in RHEL 6.5.

Note You need to log in before you can comment on or make changes to this bug.