Hey folks!
I have a Kerberos issue when using s4u2proxy with mod_auth_gssapi and IPA, and I don't
know where to look.
Basically, I've setup delegation in IPA (with servicedelegationrules and targets) and
in Apache's config for mod_auth_gssapi, but the directory where the CCaches are
supposed to be created remains empty (GssapiDelegCcacheDir).
In the apache log I only see:
GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS
failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to
negotiate)]
For context, the webapp running in Apache is delegating for IPA's ldap service, and if
I contact it directly with ldapwhoami I get the right result, so it's really the
delegation I think.
Also, the webapp is running in openshift, but that should not be a big issue (besides for
debugging) because I've already made it work elsewhere.
I have keytabs for the host and the HTTP service:
$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 host/fasjson.stg.fedoraproject.org(a)STG.FEDORAPROJECT.ORG
1 host/fasjson.stg.fedoraproject.org(a)STG.FEDORAPROJECT.ORG
$ klist -k /etc/keytabs/http
Keytab name: FILE:/etc/keytabs/http
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/fasjson.stg.fedoraproject.org(a)STG.FEDORAPROJECT.ORG
1 HTTP/fasjson.stg.fedoraproject.org(a)STG.FEDORAPROJECT.ORG
And the section in Apache's config file is:
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/;httponly;secure;
SessionHeader IPASESSION
GssapiSessionKey file:/httpdir/run/session.key
GssapiCredStore keytab:/etc/keytabs/httpd
GssapiImpersonate On
GssapiDelegCcacheDir /httpdir/run/ccaches
GssapiDelegCcachePerms mode:0660
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Here's what I'm seeing. When I'm authenticated with kerberos:
$ klist
Ticket cache: KEYRING:persistent:1000290000:1000290000
Default principal: abompard(a)STG.FEDORAPROJECT.ORG
Valid starting Expires Service principal
09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/STG.FEDORAPROJECT.ORG(a)STG.FEDORAPROJECT.ORG
and I contact the web app with curl: curl --negotiate -u :
https://fasjson.stg.fedoraproject.org/v1/
I get a 401 response with the log pasted above. The /httpdir/run/ccaches/ directory
remains empty, but I do get the service's entry in klist:
$ klist
Ticket cache: KEYRING:persistent:1000290000:1000290000
Default principal: abompard(a)STG.FEDORAPROJECT.ORG
Valid starting Expires Service principal
09/02/20 12:57:12 09/03/20 12:55:47
HTTP/fasjson.stg.fedoraproject.org(a)STG.FEDORAPROJECT.ORG
09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/STG.FEDORAPROJECT.ORG(a)STG.FEDORAPROJECT.ORG
I don't know what I'm doing wrong and where I could dig. Could you point me in the
right direction? I'm also on IRC in the freeipa channel as abompard.
Thanks!
Aurélien