GSS-Proxy Question with respect to gssproxy and mod_auth_gssapi
by Jason Keltz
Hi.
I've been trying to get gssproxy working with httpd and mod_auth_gssapi
on CentOS 7.8. Albeit, I'm not using the httpd from CentOS, but a later
2.4.39.
I setup the httpd keytab. I setup mod_auth_gssapi and was able to
access my page with Kerberos auth no problem at all.
Next, I wanted to get things working with gssproxy.
I created /etc/gssproxy/80-httpd.conf
[service/HTTP]
mechs = krb5
cred_store = keytab:/xconf/httpd/keytab/httpd-www-svc.keytab
cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
euid = www
My web user is "www".
My keytab file is in the given location. I change permission to 600,
owned by root.
I added to the Service section of /etc/systemd/system/httpd.service:
Environment=GSS_USE_PROXY=yes
I restart httpd and gssproxy.
My test protected page is under a .htaccess as follows:
AuthType GSSAPI
AuthName "GSSAPI Login"
GssapiBasicAuth On
GssapiLocalName on
Require valid-user
When I visit the page and I don't have a ticket, I get prompted for my
username and password. Access is denied.
When I visit my page Apache outputs:
[Thu Oct 15 15:04:12.311614 2020] [auth_gssapi:error] [pid 28584:tid
13995355614
1824] [client 130.63.97.125:57910] GSS ERROR gss_acquire_cred[_from]()
failed to
get server creds: [Unspecified GSS failure. Minor code may provide
more inform
ation (Keytab FILE:/etc/krb5.keytab is nonexistent or empty)]
... so I know that it's not really using gssproxy because if it was, it
wouldn't be looking at /etc/krb5.keytab.
I enabled debugging on gssproxy, level 3, but when I access the page,
gssproxy doesn't log anything. This is printed when I start gssproxy
and doesn't change:
[2020/10/15 23:23:26]: Service: HTTP, Keytab:
/xconf/httpd/keytab/httpd-www-svc.keytab, Enctype: 23
[2020/10/15 23:23:26]: Service: nfs-server, Keytab: /etc/krb5.keytab,
Enctype: 17
[2020/10/15 23:23:26]: Service: nfs-client, Keytab: /etc/krb5.keytab,
Enctype: 17
[2020/10/15 23:23:26]: Debug Enabled (level: 3)
[2020/10/15 23:23:26]: Problem with kernel communication! NFS server
will not work
[2020/10/15 23:23:26]: Failed to get peer's SELinux context (92:Protocol
not available)
[2020/10/15 23:23:26]: Client connected (fd = 10)[2020/10/15 23:23:26]:
(pid = 24902) (uid = 0) (gid = 0)[2
I assume the "Problem with kernel communication" error is just because
there is no nfs-server running here, but the gssproxy file exists.
Of course if I go back and insert into the .htaccess:
GssapiCredStore keytab:/xconf/httpd/keytab/httpd-www-svc.keytab
... and I make the file readable by "www" then it works, but that, of
course isn't using gssproxy either.
I read a bug report on Redhat about there being an issue with using
"GssapiLocalName on" so I removed that and it didn't make a difference.
So what is the magic bit that I'm missing to tell httpd to actually use
gssproxy? I thought the only thing was the USE_GSS_PROXY=yes
Does the application itself need to be aware of gssproxy, or is that
hidden from the application?
I even tried adding to the httpd.service:
Environment=KRB5_TRACE=/tmp/log
... hoping this would give me *something* but the file didn't even get
created.
Any feedback that you can provide would be helpful.
Jason.
3 years, 4 months
gssproxy with ~user
by daudel@daudel.com
Hello,
I am in a student context and we use FreeIPA. The station type is fedora
31.
All profiles (home directories) are stored on an NFS kerberised crypted
share.
Students have personnal web pages on the NFS share with ~student_name1,
~student_name2, ...
The local httpd needs a TGT somwhere and i suppose, gssproxy is the good
approach.
I have try a lot of things with gssproxy to allow local httpd tu access
the pages with no real success.
Here is "the best" i had, but it's not very usable.
I suppose, it existes a nicer way ?
Merci beaucoup
The file is for automatic deployment : gssproxy part + sudo part for
students
I did a setup of un ipa account apache 48/48
#!/usr/bin/bash
kinit_admin(){
kinit admin <<EOF
xxxxxxx
EOF
}
apache_nfs(){
# A - gssproxy part
kinit_admin
rm -f /etc/gssproxy/httpd.keytab
ipa-getkeytab -s $( awk '/^server/ { print $3 }' /etc/ipa/default.conf )
-k /etc/gssproxy/httpd.keytab -p apache(a)MYDOMAIN.FR
kdestroy
#
# 80-httpd.conf
#
cat >/etc/gssproxy/80-httpd.conf <<ESC
[service/apache]
mechs = krb5
cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_48
cred_store = client_keytab:/etc/gssproxy/httpd.keytab
euid = 48
ESC
mkdir /etc/systemd/system/httpd.service.d
cat >/etc/systemd/system/httpd.service.d/48-httpd.conf <<ESC
[Service]
Environment=GSS_USE_PROXY=1
ESC
/usr/bin/systemctl daemon-reload
/usr/bin/systemctl restart httpd
# B - sudo part
#
# sudo script gsproxy.sh in /usr/bin
#
cat >/usr/bin/gsproxy.sh <<ESC
/usr/bin/kinit \$(/usr/bin/logname)
if [ \$? -gt 0 ] ; then
/usr/bin/echo "Password error"
/usr/bin/echo "Restart sudo"
exit 1
fi
/usr/bin/kdestroy -c /var/lib/gssproxy/clients/krb5cc_48
/usr/bin/kinit -k -t /etc/gssproxy/httpd.keytab -c
/var/lib/gssproxy/clients/krb5cc_48 -p apache(a)MYDOMAIN.FR
/usr/bin/kdestroy
ESC
#
# sudo file
#
echo '%utilisateurs ALL = /usr/bin/gsproxy.sh'
>/etc/sudoers.d/gsproxy
chmod +x /usr/bin/gsproxy.sh
}
3 years, 5 months