Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1168962
Description of problem: When the same test is executed as in bug 1008777 (https://fedorahosted.org/gss-proxy/wiki/Apache) and selinux is switched to permissive because the mentioned bug, the scenario is working on x86_64 and ppc64le architectures but not on ppc64 and s390x. Not sure if the problem is in gssprxy (but it looks like); I was not able to get closer to the root cause. The test page is accessible directly with mod_auth_kerb on all architectures, problems starts when gssproxy is configured. Version-Release number of selected component (if applicable): gssproxy-0.3.0-9.el7.s390x krb5-libs-1.12.2-8.el7.s390x httpd-2.4.6-29.el7.s390x mod_auth_kerb-5.4-28.el7.s390x selinux-policy-3.13.1-9.el7.noarch How reproducible: always Steps to Reproduce: 1. KDC set up, keytab created ... # setenforce 0 # cat /var/www/html/private Test page to test GSSAPI through gssproxy # cat /etc/httpd/conf.d/gssapi.conf <Location /private> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On require valid-user </Location> # cat /etc/sysconfig/httpd LANG=C GSS_USE_PROXY=1 # cat /etc/gssproxy/gssproxy.conf [service/HTTP] mechs = krb5 cred_store = keytab:/var/lib/gssproxy/clients/http.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U euid = 48 # klist -kt /var/lib/gssproxy/clients/http.keytab Keytab name: FILE:/var/lib/gssproxy/clients/http.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 2 11/28/2014 08:10:04 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM # echo aaa | kinit alice Password for alice@ZMRAZ.COM: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_PKowI4K Default principal: alice@ZMRAZ.COM Valid starting Expires Service principal 11/28/2014 09:12:55 11/29/2014 09:12:55 krbtgt/ZMRAZ.COM@ZMRAZ.COM # curl --negotiate -u : -i http://`hostname`/private HTTP/1.1 401 Unauthorized Date: Fri, 28 Nov 2014 14:13:02 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 WWW-Authenticate: Negotiate WWW-Authenticate: Basic realm="Kerberos Login" Content-Length: 381 Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 500 Internal Server Error Date: Fri, 28 Nov 2014 14:13:02 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_auth_kerb/5.4 Content-Length: 527 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Internal Server Error</h1> <p>The server encountered an internal error or misconfiguration and was unable to complete your request.</p> <p>Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.</p> <p>More information about this error may be available in the server error log.</p> </body></html> # klist Ticket cache: KEYRING:persistent:0:krb_ccache_PKowI4K Default principal: alice@ZMRAZ.COM Valid starting Expires Service principal 11/28/2014 09:13:02 11/29/2014 09:12:55 HTTP/ibm-z10-35.rhts.eng.bos.redhat.com@ZMRAZ.COM 11/28/2014 09:12:55 11/29/2014 09:12:55 krbtgt/ZMRAZ.COM@ZMRAZ.COM Actual results: # gssproxy -i -d Debug Enabled Client connected (fd = 10) (pid = 31897) (uid = 48) (gid = 48) (context = system_u:system_r:httpd_t:s0) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) gp_rpc_execute: executing 6 (GSSX_ACQUIRE_CRED) for service "HTTP", euid: 48, socket: (null) ==> /var/log/httpd/error_log <== [Fri Nov 28 09:13:02.255605 2014] [auth_kerb:error] [pid 31901] [client 10.16.66.226:47582] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied)
The original issue was fixed with this gssproxy commit (more or less the same as https://bugzilla.redhat.com/attachment.cgi?id=969676):
-- snip -- commit aa4fc60117a35a56735fdca533d0169c9c5f76d0 Author: Simo Sorce <simo@redhat.com> Date: Mon Dec 15 11:38:56 2014 -0500 -- snip --
... I've tested this on a Linux 4.0.0-0.rc5.git4.1.fc22.ppc64 and a S390 machine (hacked Hercules emulator) with gssproxy head and apache with mod_auth_kerb and it works on both machines.
ToDo:
$ make test # (because it's a lengthy and very time-eating process to do it manually) run
$ make test #
... marking bug as FIXED.
Metadata Update from @dpal: - Issue assigned to gisburn - Issue set to the milestone: 2015 April
Login to comment on this ticket.