On Fri, 2020-10-16 at 16:39 -0400, Jason Keltz wrote:
Hi.
I've been trying to get gssproxy working with httpd and mod_auth_gssapi on CentOS 7.8. Albeit, I'm not using the httpd from CentOS, but a later 2.4.39.
I setup the httpd keytab. I setup mod_auth_gssapi and was able to access my page with Kerberos auth no problem at all.
Next, I wanted to get things working with gssproxy.
I created /etc/gssproxy/80-httpd.conf
[service/HTTP] mechs = krb5 cred_store = keytab:/xconf/httpd/keytab/httpd-www-svc.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = www
My web user is "www".
My keytab file is in the given location. I change permission to 600, owned by root.
I added to the Service section of /etc/systemd/system/httpd.service:
Environment=GSS_USE_PROXY=yes
I restart httpd and gssproxy.
My test protected page is under a .htaccess as follows:
AuthType GSSAPI AuthName "GSSAPI Login" GssapiBasicAuth On GssapiLocalName on Require valid-user
When I visit the page and I don't have a ticket, I get prompted for my username and password. Access is denied.
When I visit my page Apache outputs:
[Thu Oct 15 15:04:12.311614 2020] [auth_gssapi:error] [pid 28584:tid 13995355614 1824] [client 130.63.97.125:57910] GSS ERROR gss_acquire_cred[_from]() failed to get server creds: [Unspecified GSS failure. Minor code may provide more inform ation (Keytab FILE:/etc/krb5.keytab is nonexistent or empty)]
... so I know that it's not really using gssproxy because if it was, it wouldn't be looking at /etc/krb5.keytab.
I enabled debugging on gssproxy, level 3, but when I access the page, gssproxy doesn't log anything. This is printed when I start gssproxy and doesn't change:
[2020/10/15 23:23:26]: Service: HTTP, Keytab: /xconf/httpd/keytab/httpd-www-svc.keytab, Enctype: 23 [2020/10/15 23:23:26]: Service: nfs-server, Keytab: /etc/krb5.keytab, Enctype: 17 [2020/10/15 23:23:26]: Service: nfs-client, Keytab: /etc/krb5.keytab, Enctype: 17 [2020/10/15 23:23:26]: Debug Enabled (level: 3) [2020/10/15 23:23:26]: Problem with kernel communication! NFS server will not work [2020/10/15 23:23:26]: Failed to get peer's SELinux context (92:Protocol not available) [2020/10/15 23:23:26]: Client connected (fd = 10)[2020/10/15 23:23:26]: (pid = 24902) (uid = 0) (gid = 0)[2
I assume the "Problem with kernel communication" error is just because there is no nfs-server running here, but the gssproxy file exists.
Of course if I go back and insert into the .htaccess:
GssapiCredStore keytab:/xconf/httpd/keytab/httpd-www-svc.keytab
... and I make the file readable by "www" then it works, but that, of course isn't using gssproxy either.
I read a bug report on Redhat about there being an issue with using "GssapiLocalName on" so I removed that and it didn't make a difference.
So what is the magic bit that I'm missing to tell httpd to actually use gssproxy? I thought the only thing was the USE_GSS_PROXY=yes
Does the application itself need to be aware of gssproxy, or is that hidden from the application?
I even tried adding to the httpd.service:
Environment=KRB5_TRACE=/tmp/log
... hoping this would give me *something* but the file didn't even get created.
Any feedback that you can provide would be helpful.
Hi Jason, I assume you have a custom install of gssproxy as well here.
So 2 questions. 1) what libkrb5 version do you have installed ? 2) Have you configured gssproxy as a GSSAPI mechanism ?
See man 8 gssproxy-mech for more info on how to do (2).
HTH, Simo.