Hey folks! I have a Kerberos issue when using s4u2proxy with mod_auth_gssapi and IPA, and I don't know where to look.
Basically, I've setup delegation in IPA (with servicedelegationrules and targets) and in Apache's config for mod_auth_gssapi, but the directory where the CCaches are supposed to be created remains empty (GssapiDelegCcacheDir). In the apache log I only see: GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more information ( SPNEGO cannot find mechanisms to negotiate)] For context, the webapp running in Apache is delegating for IPA's ldap service, and if I contact it directly with ldapwhoami I get the right result, so it's really the delegation I think. Also, the webapp is running in openshift, but that should not be a big issue (besides for debugging) because I've already made it work elsewhere. I have keytabs for the host and the HTTP service: $ klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/[email protected] 1 host/[email protected] $ klist -k /etc/keytabs/http Keytab name: FILE:/etc/keytabs/http KVNO Principal ---- -------------------------------------------------------------------------- 1 HTTP/[email protected] 1 HTTP/[email protected] And the section in Apache's config file is: AuthType GSSAPI AuthName "Kerberos Login" GssapiUseSessions On Session On SessionCookieName ipa_session path=/;httponly;secure; SessionHeader IPASESSION GssapiSessionKey file:/httpdir/run/session.key GssapiCredStore keytab:/etc/keytabs/httpd GssapiImpersonate On GssapiDelegCcacheDir /httpdir/run/ccaches GssapiDelegCcachePerms mode:0660 GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Here's what I'm seeing. When I'm authenticated with kerberos: $ klist Ticket cache: KEYRING:persistent:1000290000:1000290000 Default principal: [email protected] Valid starting Expires Service principal 09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/[email protected] and I contact the web app with curl: curl --negotiate -u : https://fasjson.stg.fedoraproject.org/v1/ I get a 401 response with the log pasted above. The /httpdir/run/ccaches/ directory remains empty, but I do get the service's entry in klist: $ klist Ticket cache: KEYRING:persistent:1000290000:1000290000 Default principal: [email protected] Valid starting Expires Service principal 09/02/20 12:57:12 09/03/20 12:55:47 HTTP/[email protected] 09/02/20 12:55:59 09/03/20 12:55:47 krbtgt/[email protected] I don't know what I'm doing wrong and where I could dig. Could you point me in the right direction? I'm also on IRC in the freeipa channel as abompard. Thanks! Aurélien _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
