Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1517378 - gssproxy strange behavior when keytab file is deleted
Summary: gssproxy strange behavior when keytab file is deleted
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gssproxy
Version: 7.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-24 17:52 UTC by Patrik Kis
Modified: 2017-12-05 15:15 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-05 15:15:11 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Patrik Kis 2017-11-24 17:52:38 UTC
Description of problem:
There is httpd setup with gssproxy. When the keytab is updated nothing really happens and the service still works but when the keytab is removed and then create again, the service stop working. Not sure why it is happening. I'm not even sure it's a bug but I'm lost. Simly have no idea what causes this strange behavior.

The issue was was not seen with gssproxy-0.4.1-13 but it is present in gssproxy-0.7.0.

Version-Release number of selected component (if applicable):
gssproxy-0.7.0-4.el7

How reproducible:
always

Steps to Reproduce:
1. Assuming kdc is setup and running.

# kadmin.local -q "addprinc -randkey HTTP/$(hostname)"
...
# kadmin.local -q "ktadd -k /var/lib/gssproxy/clients/http.keytab HTTP/$(hostname)\"
...
# cat >/etc/httpd/conf.d/gssapi.conf <<_EOF
<Location /private>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  require valid-user
</Location>
_EOF
#
# echo 'GSS_USE_PROXY=1' >> /etc/sysconfig/httpd
# echo 'Test page to test GSSAPI through gssproxy' > /var/www/html/private
# service httpd start
...
# cat >/etc/gssproxy/gssproxy.conf <<_EOF
[service/HTTP]
  mechs = krb5
  cred_store = keytab:/var/lib/gssproxy/clients/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 48
_EOF
# service gssproxy start
... 
# mv /etc/gss/mech.d/gssproxy.conf /etc/gss/mech
# restorecon -v /etc/gss/mech
# 
# echo aaa | kinit alice
# curl --negotiate -u : -i http://$(hostname)/private
HTTP/1.1 401 Unauthorized
Date: Fri, 24 Nov 2017 17:36:21 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Kerberos Login"
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 24 Nov 2017 17:36:21 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv4jIEZjYPxaMwG8VcSNNidvTqI1E+VkuKXqGe1wUGUMf/of6Pt9l20WsKpeJ/62Z2tClNyCtBnooCHVc6WhhSPcnvMbtYGZTQhKKzzix6e88kRPJAO5S/fl3g1nMJ4Exb6J1ZKHw577H77D/Xuc4h
Last-Modified: Fri, 24 Nov 2017 17:34:12 GMT
ETag: "2a-55ebdf6004a94"
Accept-Ranges: bytes
Content-Length: 42

Test page to test GSSAPI through gssproxy
#
#
# sum /var/lib/gssproxy/clients/http.keytab 
27754     2
# service gssproxy stop
Redirecting to /bin/systemctl stop gssproxy.service
# kadmin.local -q "ktadd -k /var/lib/gssproxy/clients/http.keytab HTTP/$(hostname)"
...
# sum /var/lib/gssproxy/clients/http.keytab 
41027     3
# service gssproxy start
Redirecting to /bin/systemctl start gssproxy.service
 echo aaa|kinit alice
Password for alice@ZMRAZ.COM: 
# curl --negotiate -u : -i http://$(hostname)/private
HTTP/1.1 401 Unauthorized
Date: Fri, 24 Nov 2017 17:37:22 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Kerberos Login"
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 24 Nov 2017 17:37:22 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvdaAGhmoimb7CzodV9cOrRvWdRsX/gF/X17VOLhJkFtsaG5k2kCYpf5+Kt5eciRY0V77YnoUNKNATLHng2HXBCCEg/bqTTvMaKLhIVDfGqkDwy9DDIH+WsOyOwsvVIS24fqTt2rVS88JocEuu3y+4
Last-Modified: Fri, 24 Nov 2017 17:34:12 GMT
ETag: "2a-55ebdf6004a94"
Accept-Ranges: bytes
Content-Length: 42

Test page to test GSSAPI through gssproxy
#
# kdestroy 
# ls -lZ /var/lib/gssproxy/clients/http.keytab
-rw-------. root root unconfined_u:object_r:gssproxy_var_lib_t:s0 /var/lib/gssproxy/clients/http.keytab
# rm -f /var/lib/gssproxy/clients/http.keytab
# service gssproxy stop
Redirecting to /bin/systemctl stop gssproxy.service
#
# kadmin.local -q "ktadd -k /var/lib/gssproxy/clients/http.keytab HTTP/$(hostname)"
...
#
# ls -lZ /var/lib/gssproxy/clients/http.keytab
-rw-------. root root unconfined_u:object_r:gssproxy_var_lib_t:s0 /var/lib/gssproxy/clients/http.keytab
# service gssproxy start
Redirecting to /bin/systemctl start gssproxy.service
# echo aaa|kinit alice
Password for alice@ZMRAZ.COM: 
# curl --negotiate -u : -i http://$(hostname)/private
HTTP/1.1 401 Unauthorized
Date: Fri, 24 Nov 2017 17:38:38 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Kerberos Login"
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 500 Internal Server Error
Date: Fri, 24 Nov 2017 17:38:38 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
Content-Length: 527
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
# rpm -q gssproxy
gssproxy-0.7.0-4.el7.x86_64




The same scenario with older gssproxy:
# rpm -q gssproxy
gssproxy-0.4.1-13.el7.x86_64
# rm -f /var/lib/gssproxy/clients/http.keytab
# service gssproxy stop
Redirecting to /bin/systemctl stop  gssproxy.service
# kadmin.local -q "ktadd -k /var/lib/gssproxy/clients/http.keytab HTTP/$(hostname)"
# service gssproxy start
...
# echo aaa|kinit alice
Password for alice@ZMRAZ.COM: 
# curl --negotiate -u : -i http://$(hostname)/private
HTTP/1.1 401 Unauthorized
Date: Fri, 24 Nov 2017 17:38:38 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Kerberos Login"
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Fri, 24 Nov 2017 17:38:38 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvMZpWdikF5xnF+sRz8/7qG/Odf9DrMCqezKyp4FU5yc5MepxyiKVwBDA50TgVllb9mOVFVto1nML2RF+Vt5M4497BBQW7VXvzgd9YH93TsWqAkiCg2Lusv3bhGQ8LHkKHotxW/KjIKFAHTCdAYV8h
Last-Modified: Fri, 24 Nov 2017 17:34:13 GMT
ETag: "2a-55ebdf614c50b"
Accept-Ranges: bytes
Content-Length: 42

Test page to test GSSAPI through gssproxy

Comment 1 Robbie Harwood 2017-11-27 22:27:17 UTC
Can you please check with the latest version of gssproxy, gssproxy-0.7.0-13?  (I'm pretty much always going to ask this when it's not the latest version exhibiting a weird behavior.)  Thanks!

Comment 2 Patrik Kis 2017-11-28 09:16:47 UTC
Sure. With the latest version I'm not able to make it work at all.
The same setup as reported above, but the first curl is failing:

# rpm -q gssproxy
gssproxy-0.7.0-13.el7.x86_64
# curl --negotiate -u : -i http://qeos-19.lab.eng.rdu2.redhat.com/private
HTTP/1.1 401 Unauthorized
Date: Tue, 28 Nov 2017 09:16:11 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="Kerberos Login"
Content-Length: 381
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 500 Internal Server Error
Date: Tue, 28 Nov 2017 09:16:11 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4
Content-Length: 527
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>

# klist 
Ticket cache: KEYRING:persistent:0:0
Default principal: alice@ZMRAZ.COM

Valid starting       Expires              Service principal
11/28/2017 04:16:11  11/29/2017 04:16:02  HTTP/qeos-19.lab.eng.rdu2.redhat.com@ZMRAZ.COM
11/28/2017 04:16:02  11/29/2017 04:16:02  krbtgt/ZMRAZ.COM@ZMRAZ.COM

Comment 4 Simo Sorce 2017-12-01 20:56:19 UTC
patrick can you run klist -A and kvno -e HTTP/<http-server-host>@REALM after each curl ?

Comment 5 Simo Sorce 2017-12-01 20:58:50 UTC
Also can you set gssproxy's debug level to 3 and provide the corresponding gssproxy logs ?

Comment 7 Patrik Kis 2017-12-05 10:14:52 UTC
It looks like the problem is fixed with gssproxy-0.7.0-14.el7.
Interestingly, with gssproxy-0.7.0-13.el7 the situation was even worse than with the reported gssproxy-0.7.0-4.el7. In that case even the first curl command failed. But with the latest gssproxy-0.7.0-14.el7 I can not reproduce the problem.

Comment 8 Simo Sorce 2017-12-05 14:14:27 UTC
Ok, let's close this as fixed then ?

Comment 9 Patrik Kis 2017-12-05 14:29:55 UTC
(In reply to Simo Sorce from comment #8)
> Ok, let's close this as fixed then ?

I'm fine with closing it. If the problem re-appears, it still can be re-openeed.

Comment 10 Robbie Harwood 2017-12-05 15:15:11 UTC
Thanks Simo and Patrik!


Note You need to log in before you can comment on or make changes to this bug.