Hey folks!
I have a Kerberos issue when using s4u2proxy with mod_auth_gssapi and IPA, and I don't know where to look.
Basically, I've setup delegation in IPA (with servicedelegationrules and targets) and in Apache's config for mod_auth_gssapi, but the directory where the CCaches are supposed to be created remains empty (GssapiDelegCcacheDir).
In the apache log I only see: GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]
For context, the webapp running in Apache is delegating for IPA's ldap service, and if I contact it directly with ldapwhoami I get the right result, so it's really the delegation I think. Also, the webapp is running in openshift, but that should not be a big issue (besides for debugging) because I've already made it work elsewhere.
I have keytabs for the host and the HTTP service:
$ klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG 1 host/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG $ klist -k /etc/keytabs/http Keytab name: FILE:/etc/keytabs/http KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG 1 HTTP/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
And the section in Apache's config file is:
AuthType GSSAPI AuthName "Kerberos Login" GssapiUseSessions On Session On SessionCookieName ipa_session path=/;httponly;secure; SessionHeader IPASESSION GssapiSessionKey file:/httpdir/run/session.key GssapiCredStore keytab:/etc/keytabs/httpd GssapiImpersonate On GssapiDelegCcacheDir /httpdir/run/ccaches GssapiDelegCcachePerms mode:0660 GssapiUseS4U2Proxy on GssapiAllowedMech krb5
Here's what I'm seeing. When I'm authenticated with kerberos: $ klist Ticket cache: KEYRING:persistent:1000290000:1000290000 Default principal: abompard@STG.FEDORAPROJECT.ORG Valid starting Expires Service principal 09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
and I contact the web app with curl: curl --negotiate -u : https://fasjson.stg.fedoraproject.org/v1/ I get a 401 response with the log pasted above. The /httpdir/run/ccaches/ directory remains empty, but I do get the service's entry in klist: $ klist Ticket cache: KEYRING:persistent:1000290000:1000290000 Default principal: abompard@STG.FEDORAPROJECT.ORG Valid starting Expires Service principal 09/02/20 12:57:12 09/03/20 12:55:47 HTTP/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG 09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
I don't know what I'm doing wrong and where I could dig. Could you point me in the right direction? I'm also on IRC in the freeipa channel as abompard.
Thanks!
Aurélien
For interested parties (and archives) part of the issue was this: https://github.com/gssapi/mod_auth_gssapi/issues/228
I am adding some logging to mod_auth_gssapi to make this kind of error more readily discoverable from the apache error log.
Simo.
On Wed, 2020-09-02 at 13:00 +0000, Aurelien Bompard via FreeIPA-users wrote:
Hey folks!
I have a Kerberos issue when using s4u2proxy with mod_auth_gssapi and IPA, and I don't know where to look.
Basically, I've setup delegation in IPA (with servicedelegationrules and targets) and in Apache's config for mod_auth_gssapi, but the directory where the CCaches are supposed to be created remains empty (GssapiDelegCcacheDir).
In the apache log I only see: GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)]
For context, the webapp running in Apache is delegating for IPA's ldap service, and if I contact it directly with ldapwhoami I get the right result, so it's really the delegation I think. Also, the webapp is running in openshift, but that should not be a big issue (besides for debugging) because I've already made it work elsewhere.
I have keytabs for the host and the HTTP service:
$ klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
1 host/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG 1 host/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG $ klist -k /etc/keytabs/http Keytab name: FILE:/etc/keytabs/http KVNO Principal
1 HTTP/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG 1 HTTP/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
And the section in Apache's config file is:
AuthType GSSAPI AuthName "Kerberos Login" GssapiUseSessions On Session On SessionCookieName ipa_session path=/;httponly;secure; SessionHeader IPASESSION GssapiSessionKey file:/httpdir/run/session.key GssapiCredStore keytab:/etc/keytabs/httpd GssapiImpersonate On GssapiDelegCcacheDir /httpdir/run/ccaches GssapiDelegCcachePerms mode:0660 GssapiUseS4U2Proxy on GssapiAllowedMech krb5
Here's what I'm seeing. When I'm authenticated with kerberos: $ klist Ticket cache: KEYRING:persistent:1000290000:1000290000 Default principal: abompard@STG.FEDORAPROJECT.ORG Valid starting Expires Service principal 09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
and I contact the web app with curl: curl --negotiate -u : https://fasjson.stg.fedoraproject.org/v1/ I get a 401 response with the log pasted above. The /httpdir/run/ccaches/ directory remains empty, but I do get the service's entry in klist: $ klist Ticket cache: KEYRING:persistent:1000290000:1000290000 Default principal: abompard@STG.FEDORAPROJECT.ORG Valid starting Expires Service principal 09/02/20 12:57:12 09/03/20 12:55:47 HTTP/fasjson.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG 09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
I don't know what I'm doing wrong and where I could dig. Could you point me in the right direction? I'm also on IRC in the freeipa channel as abompard.
Thanks!
Aurélien _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org