For interested parties (and archives) part of the issue was this: https://github.com/gssapi/mod_auth_gssapi/issues/228
I am adding some logging to mod_auth_gssapi to make this kind of error more readily discoverable from the apache error log. Simo. On Wed, 2020-09-02 at 13:00 +0000, Aurelien Bompard via FreeIPA-users wrote: > Hey folks! > > I have a Kerberos issue when using s4u2proxy with mod_auth_gssapi and IPA, > and I don't know where to look. > > Basically, I've setup delegation in IPA (with servicedelegationrules and > targets) and in Apache's config for mod_auth_gssapi, but the directory where > the CCaches are supposed to be created remains empty (GssapiDelegCcacheDir). > > In the apache log I only see: > GSS ERROR gss_acquire_cred[_from]() failed to get server creds: > [Unspecified GSS failure. Minor code may provide more information ( SPNEGO > cannot find mechanisms to negotiate)] > > For context, the webapp running in Apache is delegating for IPA's ldap > service, and if I contact it directly with ldapwhoami I get the right result, > so it's really the delegation I think. > Also, the webapp is running in openshift, but that should not be a big issue > (besides for debugging) because I've already made it work elsewhere. > > I have keytabs for the host and the HTTP service: > > $ klist -k /etc/krb5.keytab > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/[email protected] > 1 host/[email protected] > $ klist -k /etc/keytabs/http > Keytab name: FILE:/etc/keytabs/http > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 HTTP/[email protected] > 1 HTTP/[email protected] > > And the section in Apache's config file is: > > AuthType GSSAPI > AuthName "Kerberos Login" > GssapiUseSessions On > Session On > SessionCookieName ipa_session path=/;httponly;secure; > SessionHeader IPASESSION > GssapiSessionKey file:/httpdir/run/session.key > GssapiCredStore keytab:/etc/keytabs/httpd > GssapiImpersonate On > GssapiDelegCcacheDir /httpdir/run/ccaches > GssapiDelegCcachePerms mode:0660 > GssapiUseS4U2Proxy on > GssapiAllowedMech krb5 > > Here's what I'm seeing. When I'm authenticated with kerberos: > $ klist > Ticket cache: KEYRING:persistent:1000290000:1000290000 > Default principal: [email protected] > Valid starting Expires Service principal > 09/02/20 12:55:59 09/03/20 12:55:47 > krbtgt/[email protected] > > and I contact the web app with curl: curl --negotiate -u : > https://fasjson.stg.fedoraproject.org/v1/ > I get a 401 response with the log pasted above. The /httpdir/run/ccaches/ > directory remains empty, but I do get the service's entry in klist: > $ klist > Ticket cache: KEYRING:persistent:1000290000:1000290000 > Default principal: [email protected] > Valid starting Expires Service principal > 09/02/20 12:57:12 09/03/20 12:55:47 > HTTP/[email protected] > 09/02/20 12:55:59 09/03/20 12:55:47 > krbtgt/[email protected] > > I don't know what I'm doing wrong and where I could dig. Could you point me > in the right direction? I'm also on IRC in the freeipa channel as abompard. > > Thanks! > > Aurélien > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
