#290 SPNEGO doesn't work with FreeIPA 4.5
Opened a year ago by tkov. Modified 11 months ago

FreeIPA 4.5 uses gssproxy for keytab handling. Configuring own keytab in the same httpd process will be ignored.

The GssapiLocalName directive doesn't work, and causes the authentication to fail with 'NO AUTH DATA Client did not send any authentication headers".

This issue was observed on a machine running CentOS 7.4, which comes with FreeIPA 4.5, both updated to 7.4 and clean install.


FreeIPA is enahncing the security of web application by using gssproxy to perform privilege separation so that random web apps do not have direct access to the HTTP keytab.
In general it is not a great idea to run additional applications on the same HTTP server freeipa uses, but if that is needed then gssproxy configuration needs to be adjusted accordingly

Metadata Update from @simo:
- Custom field component adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

a year ago

I understand the rationale behind gssproxy; I just wasn't precise enough: Ipsilon default configuration configures custom keytab and GssLocalName, which makes it broken on CentOS/RHEL 7.4. The intent of this ticket is to make adjustments in the default configuration to work out of the box.

Ipsilon is also one of these additional applications that run on the same HTTP server that freeipa uses. For me, as a user, it was surprising, that the change came in the stable release and wasn't documented in release notes. There is no problem in adjusting configuration - if you know, what causes the failure.

GSSLocalName should cause no issues in either configuration, what are you seeing ?
Sorry to hear it broke you but I think FreeIPAs docs state that running other apps is not recommended/supported (exactly because we may break them when we make config changes)

with GSSLocalname:

[ipauser1@ipaclient ~]$ curl --negotiate -u : --verbose https://ipadc.intra.lan/idp/login/gssapi/negotiate
*   Trying 10.1.2.5...
* TCP_NODELAY set
* Connected to ipadc.intra.lan (10.1.2.5) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: none
  CApath: none
* loaded libnssckbi.so
* ALPN/NPN, server did not agree to a protocol
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=ipadc.intra.lan,O=INTRA.LAN
*   start date: Sep 19 11:43:23 2017 GMT
*   expire date: Sep 20 11:43:23 2019 GMT
*   common name: ipadc.intra.lan
*   issuer: CN=Certificate Authority,O=INTRA.LAN
> GET /idp/login/gssapi/negotiate HTTP/1.1
> Host: ipadc.intra.lan
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 20 Sep 2017 13:44:20 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
< Content-Security-Policy: frame-options 'deny'
< Pragma: no-cache
< Cache-Control: no-cache, no-store, must-revalidate, private
< X-Frame-Options: deny
< Set-Cookie: 065a5ccd-8cdb-4429-bf14-bd49054e9159=login; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: 8bb28f7a-ee5b-40db-aa89-33ca3f49125c=login; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: idp_ipsilon_session_id=05044b77d63865ae673b447400e98c16c5c1b86c; expires=Wed, 20 Sep 2017 14:44:20 GMT; httponly; Path=/idp; secure
< WWW-Authenticate: Negotiate
< Content-Length: 2538
< Content-Type: text/html;charset=utf-8
< 
* Ignoring the response-body
* Connection #0 to host ipadc.intra.lan left intact
* Issue another request to this URL: 'https://ipadc.intra.lan/idp/login/gssapi/negotiate'
* Found bundle for host ipadc.intra.lan: 0x557ce01c0880 [can pipeline]
* Re-using existing connection! (#0) with host ipadc.intra.lan
* Connected to ipadc.intra.lan (10.1.2.5) port 443 (#0)
* Server auth using Negotiate with user ''
> GET /idp/login/gssapi/negotiate HTTP/1.1
> Host: ipadc.intra.lan
> Authorization: Negotiate YIICfwYGKwYBBQUCoIICczCCAm+gDTALBgkqhkiG9xIBAgKiggJcBIICWGCCAlQGCSqGSIb3EgECAgEAboICQzCCAj+gAwIBBaEDAgEOogcDBQAgAAAAo4IBVmGCAVIwggFOoAMCAQWhCxsJSU5UUkEuTEFOoiIwIKADAgEDoRkwFxsESFRUUBsPaXBhZGMuaW50cmEubGFuo4IBFDCCARCgAwIBEqEDAgECooIBAgSB/+RKyDf/9wA2r3gjXozuFmpTt9Qb3Iqd9PTQJ3OdxGNgZk54t+xKyi8HfiRtzTYy98lknUp7QUQOqsuFra3R71iB2QbaFZ0gt/Z4CMoD0SgHd1Ej1Ix2x1dhwV/Wtwyhrx9qDcvHGHsa4eLlwm71PIP41yDa+KWmQ6S19b7aAnuQ7U9Kin4jT6tvLcaiAMxpbWHxEpM+n+joK150sA3lr3p3eU27NwlZqRKkjMv5ELZEXpM8V+um4Z1M0CfXjQKf3MXgkyNjEslvrXyNOZC3gF0OrrZIcBppjJTCf80XRNaRGRzh0EbKQJJ7NhJGTTRy8EF+FMJkxYPWSzxaKqtcSKSBzzCBzKADAgESooHEBIHBxUhDh6AH8o/4ZhB86EBbqSfhu7HCub5qjVNZn0fmDXTWPMsnevg1KAMi/rzU5esUFh8A93r5EoowXklvgmC0d7cbe4KxNpY+Q96hJn/DGJ9HAnWYQThRcrXZuLicHwBZIOgW2/U6kS+ixKYdbobwtZJtlI5jT3bHnGclzUnvi8AY313tnOL8AvoqYPbzuWhpnDJwdLKB0OzSl8qPNnYz+RMzTDvX/IfQ9q1wpdv2JTRLQsTRY2dqsVrnoU+UTaF4mg==
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 20 Sep 2017 13:44:20 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
< Content-Security-Policy: frame-options 'deny'
< Pragma: no-cache
< Cache-Control: no-cache, no-store, must-revalidate, private
< X-Frame-Options: deny
< Set-Cookie: 4f3763d4-bdc0-4d9f-a388-ddf2c47604f1=login; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: dd14f373-b1b5-40d8-93c6-4b7b55ada08f=login; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: idp_ipsilon_session_id=bc9826cf098d160ffd566e21ba56682e6ccef028; expires=Wed, 20 Sep 2017 14:44:20 GMT; httponly; Path=/idp; secure
< WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvJ8QKb0ZsFkn+IsUNcKGdRYNTPyh70vqQwqOh8eksY9YrMkd6kXrahzMeA6VJltDymva6L+uMEBR9yCIOiBsgXSLQ2pBvhvZucVF4PWDxrfVt1T0gkclbLR1mC3SxaxmStNVd9+wNBfmQO6MWfhJz
< Content-Length: 2538
< Content-Type: text/html;charset=utf-8
< 
<!DOCTYPE html>
<!--[if IE 8]><html class="ie8 login-pf"><![endif]-->
<!--[if gt IE 8]><!-->
<html class="login-pf">
<!--<![endif]-->
  <head>
    <title>Login</title>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link href="/idp/ui/css/ipsilon.css" rel="stylesheet" media="screen, print">
    <link href="/idp/ui/css/styles.css" rel="stylesheet" media="screen, print">
  </head>
  <body>
    <a href="/idp/" id="badge" tabindex="-1">
      <img src="/idp/ui/img/logo.svg" alt="Ipsilon IdP" />
    </a>
    <div class="container">
      <div class="row">
        <div class="col-sm-12">
          <div id="brand">
            <img src="/idp/ui/img/brand-lg.png" alt="Ipsilon">
          </div>
        </div>





<div class="col-sm-7 col-md-6 col-lg-5 login">
  <form class="form-horizontal" role="form" id="login_form" action="/idp/login/form" method="post" enctype="application/x-www-form-urlencoded">
    <input type="hidden" name="ipsilon_transaction_id" id="ipsilon_transaction_id" value="b4b70155-c4ad-4364-8252-30fdf1bac9f6">
    <div class="form-group ">
      <label for="login_name" class="col-sm-2 col-md-2 control-label">Username</label>
      <div class="col-sm-10 col-md-10">
        <input type="text" class="form-control" name="login_name" id="login_name" placeholder="" tabindex="1" value="">
      </div>
    </div>
    <div class="form-group">
      <label for="login_password" class="col-sm-2 col-md-2 control-label">Password</label>
      <div class="col-sm-10 col-md-10">
        <input type="password" class="form-control" name="login_password" id="login_password" placeholder="" tabindex="2">
      </div>
    </div>
    <div class="form-group">
      <div class="col-sm-offset-2 col-md-offset-2 col-xs-12 col-sm-10 col-md-10 submit">

          <a href="/idp/login/cancel?ipsilon_transaction_id=b4b70155-c4ad-4364-8252-30fdf1bac9f6" title="Cancel" class="btn btn-link" tabindex="4">Cancel</a>

        <button type="submit" value="login" class="btn btn-primary btn-lg" tabindex="3">Log In</button>
      </div>
    </div>
  </form>
</div>

<div class="col-sm-5 col-md-6 col-lg-7 details">
  <p>Insert your Username and Password and then submit.</p>

  <hr>
  <p>Other authentication methods:
  <ul>

    <li><a href="/idp/login/gssapi/negotiate?ipsilon_transaction_id=b4b70155-c4ad-4364-8252-30fdf1bac9f6" class="btn btn-link" tabindex="5">gssapi</a></li>

  </ul>
  </p>

</div>


      </div>
    </div>
  </body>
* Connection #0 to host ipadc.intra.lan left intact
</html>[ipauser1@ipaclient ~]$

/var/log/httpd/error_log:

[Wed Sep 20 15:44:14.018478 2017] [:error] [pid 1910] ipa: INFO: *** PROCESS START ***
[Wed Sep 20 15:44:20.391740 2017] [auth_gssapi:error] [pid 1913] [client 10.1.2.45:60670] NO AUTH DATA Client did not send any authentication headers
[Wed Sep 20 15:44:20.772406 2017] [:error] [pid 1912] [20/Sep/2017:15:44:20] ENGINE Started monitor thread 'Session cleanup'.
[Wed Sep 20 15:44:20.816067 2017] [:error] [pid 1912] 10.1.2.45 - - [20/Sep/2017:15:44:20] "GET /idp/login/gssapi/unauthorized HTTP/1.1" 401 2538 "" "curl/7.53.1"
[Wed Sep 20 15:44:20.828848 2017] [auth_gssapi:error] [pid 1913] [client 10.1.2.45:60670] GSS ERROR gss_localname() failed: [A required input parameter could not be read (Unknown error)]
[Wed Sep 20 15:44:20.863421 2017] [:error] [pid 1912] 10.1.2.45 - - [20/Sep/2017:15:44:20] "GET /idp/login/gssapi/unauthorized HTTP/1.1" 401 2538 "" "curl/7.53.1"

without GSSLocalName:

[ipauser1@ipaclient ~]$ curl --negotiate -u : --verbose https://ipadc.intra.lan/idp/login/gssapi/negotiate
*   Trying 10.1.2.5...
* TCP_NODELAY set
* Connected to ipadc.intra.lan (10.1.2.5) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: none
  CApath: none
* loaded libnssckbi.so
* ALPN/NPN, server did not agree to a protocol
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
*   subject: CN=ipadc.intra.lan,O=INTRA.LAN
*   start date: Sep 19 11:43:23 2017 GMT
*   expire date: Sep 20 11:43:23 2019 GMT
*   common name: ipadc.intra.lan
*   issuer: CN=Certificate Authority,O=INTRA.LAN
> GET /idp/login/gssapi/negotiate HTTP/1.1
> Host: ipadc.intra.lan
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 20 Sep 2017 13:39:28 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
< Content-Security-Policy: frame-options 'deny'
< Pragma: no-cache
< Cache-Control: no-cache, no-store, must-revalidate, private
< X-Frame-Options: deny
< Set-Cookie: 9ba0878a-a81b-49cb-8248-fe255539e261=login; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: da1b6f5f-ede0-47b2-8462-2c698596c766=login; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: idp_ipsilon_session_id=7bc3f8687ca3b046f32fb7fb0e4a9361530f310d; expires=Wed, 20 Sep 2017 14:39:28 GMT; httponly; Path=/idp; secure
< WWW-Authenticate: Negotiate
< Content-Length: 2538
< Content-Type: text/html;charset=utf-8
< 
* Ignoring the response-body
* Connection #0 to host ipadc.intra.lan left intact
* Issue another request to this URL: 'https://ipadc.intra.lan/idp/login/gssapi/negotiate'
* Found bundle for host ipadc.intra.lan: 0x5576a6281880 [can pipeline]
* Re-using existing connection! (#0) with host ipadc.intra.lan
* Connected to ipadc.intra.lan (10.1.2.5) port 443 (#0)
* Server auth using Negotiate with user ''
> GET /idp/login/gssapi/negotiate HTTP/1.1
> Host: ipadc.intra.lan
> Authorization: Negotiate YIICfwYGKwYBBQUCoIICczCCAm+gDTALBgkqhkiG9xIBAgKiggJcBIICWGCCAlQGCSqGSIb3EgECAgEAboICQzCCAj+gAwIBBaEDAgEOogcDBQAgAAAAo4IBVmGCAVIwggFOoAMCAQWhCxsJSU5UUkEuTEFOoiIwIKADAgEDoRkwFxsESFRUUBsPaXBhZGMuaW50cmEubGFuo4IBFDCCARCgAwIBEqEDAgECooIBAgSB/+RKyDf/9wA2r3gjXozuFmpTt9Qb3Iqd9PTQJ3OdxGNgZk54t+xKyi8HfiRtzTYy98lknUp7QUQOqsuFra3R71iB2QbaFZ0gt/Z4CMoD0SgHd1Ej1Ix2x1dhwV/Wtwyhrx9qDcvHGHsa4eLlwm71PIP41yDa+KWmQ6S19b7aAnuQ7U9Kin4jT6tvLcaiAMxpbWHxEpM+n+joK150sA3lr3p3eU27NwlZqRKkjMv5ELZEXpM8V+um4Z1M0CfXjQKf3MXgkyNjEslvrXyNOZC3gF0OrrZIcBppjJTCf80XRNaRGRzh0EbKQJJ7NhJGTTRy8EF+FMJkxYPWSzxaKqtcSKSBzzCBzKADAgESooHEBIHBwV4xt/+CMHYKx2OSu/HOLAgoSc3xjG0exZU4E3XjcYyd7p/Oz1DCl5fpt6KzWEAeX+588HD7yej+uMpLwCCzJhSKu/BEWhmXWx+YDDtCSu7CsvzECsbH6FiXZKI+OGA+gdM0tQ5FEAnUbBPUuInmnWt+vLA87mfiTbSKuTvmNP8p1UHek0XS9SSniMh/3+6Mp8EjEK5xShmL7crkkulCyLyULihAkdLZHTR5JF8cRQ9YQ2KGbvema/Iyx8Y8nM0m0A==
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 303 See Other
< Date: Wed, 20 Sep 2017 13:39:28 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5
< Content-Security-Policy: frame-options 'deny'
< Pragma: no-cache
< Cache-Control: no-cache, no-store, must-revalidate, private
< X-Frame-Options: deny
< Set-Cookie: 45456db3-a22c-43de-8852-89f3681a7f87=login; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: af278ae2-80ab-43fc-867f-73f6c58d2fd8=login; expires=Wed, 20 Sep 2017 13:39:28 GMT; httponly; Max-Age=300; Path=/idp; secure
< Set-Cookie: idp_ipsilon_session_id=ca86742bf677d1a196248e238b10bfc8bae121cf; expires=Wed, 20 Sep 2017 14:39:28 GMT; httponly; Path=/idp; secure
< WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvTqCg5T4dbKwvUmuwtunIvgir43VQN6W33tbn87U2inLbAC2prXQbmctNVU0FrLYyrkkb0OJZgPCawmvGXUc4l4XB+HbIxDktnS6kAFr96k1ItSZ900Y2BP2nzvBTpEs6S7gN03fgYAhkvzHlMbiu
< Content-Length: 102
< Location: https://ipadc.intra.lan/idp/
< Content-Type: text/html;charset=utf-8
< 
* Closing connection 0
This resource can be found at <a href='https://ipadc.intra.lan/idp/'>https://ipadc.intra.lan/idp/</a>.
[ipauser1@ipaclient ~]$

/var/log/httpd/error_log:

Wed Sep 20 15:36:01.913768 2017] [:error] [pid 1407] ipa: INFO: *** PROCESS START ***
[Wed Sep 20 15:38:08.631178 2017] [:error] [pid 1409] [20/Sep/2017:15:38:08] ENGINE Started monitor thread 'Session cleanup'.
[Wed Sep 20 15:38:08.649285 2017] [:error] [pid 1409] 10.1.2.45 - - [20/Sep/2017:15:38:08] "GET /idp/ HTTP/1.1" 200 2474 "" "curl/7.53.1"
[Wed Sep 20 15:38:47.512174 2017] [:error] [pid 1409] 10.1.2.45 - - [20/Sep/2017:15:38:47] "GET /idp/login/gssapi HTTP/1.1" 303 146 "" "curl/7.53.1"
[Wed Sep 20 15:39:28.625611 2017] [auth_gssapi:error] [pid 1413] [client 10.1.2.45:60666] NO AUTH DATA Client did not send any authentication headers
[Wed Sep 20 15:39:28.701960 2017] [:error] [pid 1409] 10.1.2.45 - - [20/Sep/2017:15:39:28] "GET /idp/login/gssapi/unauthorized HTTP/1.1" 401 2538 "" "curl/7.53.1"
[Wed Sep 20 15:39:28.768174 2017] [:error] [pid 1409] [20/Sep/2017:15:39:28]  LOGIN SUCCESSFUL: ipauser1
[Wed Sep 20 15:39:28.801504 2017] [:error] [pid 1409] 10.1.2.45 - ipauser1@INTRA.LAN [20/Sep/2017:15:39:28] "GET /idp/login/gssapi/negotiate HTTP/1.1" 303 102 "" "curl/7.53.1"

Uhmmm this is unexpected, thanks for reporting.

I'm hitting the same issue on a host that has a FreeIPA replica and Ipsilon.

Login to comment on this ticket.

Metadata