Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionJan Pazdziora (Red Hat)
2013-06-04 09:55:57 UTC
Description of problem:
When you have a web service using normal basic authentication, your logins will look like "alice" and "bob". When you then enable mod_auth_kerb on that httpd server, the logged in user will be "alice" and "bob". Which are completely different users in that web application's database so after using SPNEGO, people will not see their data.
It is necessary to use a
KrbLocalUserMapping On
directive which is undocumented anywhere in the mod_auth_kerb documentation beyond on line in the Changes file in the mod_auth_kerb-5.4.tar.gz:
*implemented KrbLocalUserMapping i.e. to strip @REALM from username for further use
Version-Release number of selected component (if applicable):
Uncertain.
How reproducible:
Deterministic.
Steps to Reproduce:
1. Enable mod_auth_kerb on your web service on IPA client based on some documentation.
Actual results:
That documentation will not mention KrbLocalUserMapping.
Expected results:
That documentation should mention KrbLocalUserMapping.
Additional info:
Where do you propose documenting this? Is this more appropriate for mod_auth_kerb in the man page, for example?
Comment 5Alexander Bokovoy
2013-06-04 14:34:20 UTC
I'm not decided on it. On one hand we should have definitely added Krb5LocalUserMapping to the list of documented options in mod_auth_kerb. On the other, the particular behavior of forcing trusted AD users to have full qualified names (name@realm) as local names is our design decision in FreeIPA and SSSD.
Comment 6Jan Pazdziora (Red Hat)
2013-06-04 14:55:24 UTC
For the basic documentation of that directive, I've not filed bug 970678 against mod_auth_kerb. This bugzilla should probably be used for whatever general documentation IPA has, plus for the AD user behaviour in FreeIPA/SSSD.
Comment 7Jan Pazdziora (Red Hat)
2013-06-04 14:55:37 UTC
For the basic documentation of that directive, I've now filed bug 970678 against mod_auth_kerb. This bugzilla should probably be used for whatever general documentation IPA has, plus for the AD user behaviour in FreeIPA/SSSD.
Thanks both for discussion. Having bug against mod_auth_kerb to document the option is a good step.
From IPA side, I would just update our guide, particularly section "8.7. Using Trust with Kerberized Web Applications" in
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html
and state that user credential will be in form of a full principal, i.e. "user@REALM" and point users to use KrbLocalUserMapping directive if they want to have just "user".
Moving to IPA doc guide component.
This has no impact on the IPA documentation (per Deon Lackey)
Jan Pazdziora has filed a bug for the kerb team to update the man page.
Comment 10Jan Pazdziora (Red Hat)
2013-12-16 09:36:12 UTC
Is it correct that this bugzilla was NOTABUGed? I thought we'd be adding information about the credential forman and about the KrbLocalUserMapping directive per comment 8. When was the decision made not to amend the Guide?