Issue #10596: GSSAPI Negotiate authentication doesn't work against https://id.stg.fedoraproject.org/ ? - fedora-infrastructure

fedora-infrastructure

#10596 GSSAPI Negotiate authentication doesn't work against https://id.stg.fedoraproject.org/ ?

Closed: Fixed with Explanation 3 years ago by kevin. Opened 3 years ago by praiskup.

I have the default fedora-packager-kerberos-0.6.0.6-3.fc35.noarch config files, and unchanged krb5-libs package krb5-libs-1.19.2-2.fc35.x86_64

Having a ticket against STG:

Ticket cache: KCM:17122
Default principal: praiskup@STG.FEDORAPROJECT.ORG

Valid starting       Expires              Service principal
03/17/2022 08:20:57  03/18/2022 08:20:56  krbtgt/STG.FEDORAPROJECT.ORG@STG.FEDORAPROJECT.ORG
        renew until 03/24/2022 08:20:56
03/17/2022 08:21:02  03/18/2022 08:20:56  HTTP/id.stg.fedoraproject.org@
        renew until 03/24/2022 08:20:56
        Ticket server: HTTP/id.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG

.. I can not use negotiate to log into the staging copr (using the login link at the top of the page) through id.stg.fedoraproject.org -- the page asks me for a password. This seems to work fine in production though.
(tested in chromium and firefox)

zlopez commented 3 years ago

We can't reproduce it. How your browser policy file looks? Here is the guide how to set it up https://wiki.centos.org/Authentication#Enabling_kerberos_for_IdP

You can try to modify the policy file for staging and see if this works.

Metadata Update from @zlopez:
- Issue priority set to: Waiting on Reporter (was: Needs Review)
- Issue tagged with: authentication, low-gain, medium-trouble

3 years ago

praiskup commented 3 years ago

My Firefox has: .redhat.com,copr-dev-fe,.fedoraproject.org,.stg.fedoraproject.org in network.negotiate-auth.trusted-uris.

This perfectly works in production id.fedoraproject.org, but not id.stg.f.o.

praiskup commented 3 years ago

See the top of the page. The "gssapi-login" variant (direct gssapi negotiate) works for me, but going through ipsilon - the "log in" link - fails the negotiation and still asks for the password.

praiskup commented 3 years ago

We are working on a Copr upgrade, so we removed the deployment. But the problem
still can be observed against staging pagure e.g.: https://stg.pagure.io/

kevin commented 3 years ago

This should now be fixed.

ipsilon01.stg had:

[Fri Mar 18 17:42:45.220602 2022] [auth_gssapi:error] [pid 3016943:tid 3016986] [client 10.3.166.74:39228] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [Unspecified GSS failure.  Minor code may provide more information (Request ticket server HTTP/id.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG kvno 1 enctype aes256-cts found in keytab but cannot decrypt ticket)]

I am not sure what happened to the keytab, but I regenerated it and restarted httpd on ipsilon01.stg and everything is back to working as expected.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

3 years ago

praiskup commented 3 years ago

Works, thank you!

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

Waiting on Reporter

fedora-infrastructure

Source Code

#10596 GSSAPI Negotiate authentication doesn't work against https://id.stg.fedoraproject.org/ ? Closed: Fixed with Explanation 3 years ago by kevin. Opened 3 years ago by praiskup.

Metadata

low-gain medium-trouble authentication

#10596 GSSAPI Negotiate authentication doesn't work against https://id.stg.fedoraproject.org/ ?

Closed: Fixed with Explanation 3 years ago by kevin. Opened 3 years ago by praiskup.