-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-8.7.0
-
None
-
Moderate
-
rhel-sst-idm-ipa
-
ssg_idm
-
None
-
False
-
-
None
-
None
-
None
-
None
-
If docs needed, set a value
-
-
Unspecified
-
None
Description of problem:
Customer rely on the following config to map to root user for their web application
~~~
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
auth_to_local_names =
}
~~~
However, they can not do so after upgrade their
krb5-workstation from krb5-workstation-1.18.2-8.3.el8_4 to 1.18.2-22.el8_7
httpd log before upgrade (alice become root, customer want this)
~~~
10.0.0.101 - - [15/Mar/2023:12:49:33 +1030] "GET /webapp/ HTTP/1.1" 401 381 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - root [15/Mar/2023:12:49:33 +1030] "GET /webapp/ HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - root [15/Mar/2023:12:49:33 +1030] "GET /webapp/CBS.css HTTP/1.1" 304 - "http://appserver1/webapp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
~~~
http log after upgrade (alice is still alice)
~~~
10.0.0.101 - alice [15/Mar/2023:12:53:04 +1030] "GET /webapp/ HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - alice [15/Mar/2023:12:53:04 +1030] "GET /webapp/CBS.css HTTP/1.1" 304 - "http://appserver1/webapp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - alice [15/Mar/2023:12:53:04 +1030] "GET /webapp/images/poweredbyebix.gif HTTP/1.1" 304 - "http://appserver1/webapp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
~~~
However, alice map to cindy (non-root) worked even after upgrade:
~~~
10.0.0.101 - cindy [16/Feb/2023:09:38:05 +1030] "GET /webapp HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
10.0.0.101 - cindy [16/Feb/2023:09:38:05 +1030] "GET /webapp/ HTTP/1.1" 200 1853 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
10.0.0.101 - cindy [16/Feb/2023:09:38:05 +1030] "GET /webapp/CBS.css HTTP/1.1" 200 1548 "http://appserver3/webapp/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
~~~
Version-Release number of selected component (if applicable):
krb5-workstation-1.18.2-8.3.el8_4 to 1.18.2-22.el8_7
How reproducible:
Always with krb5-workstation-1.18.2-22.el8_7
But not with krb5-workstation-1.18.2-8.3.el8_4
Steps to Reproduce:
1. Use web app login as alice
Actual results:
alice is still alice, auth_to_local_names did not work
Expected results:
alice become root, auth_to_local_names works
Additional info:
While mod_auth_gssapi upgrade seems related (1.6.1-7.1.el8 - 1.6.1-9.el8),
thus we tested downgrade, behaviour does not change.
mod_auth_gssapi that seems related:
~~~
- Thu Apr 28 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-9
- Add missing repos to the osci tests
- Fix gss localname test to work with older gssapi version
- Resolves: #2083122
- Add ability to expose the used mechanism
- Resolves: #2046231
- Wed Apr 27 2022 Francisco Trivino <ftrivino@redhat.com> 1.6.1-8
- Add test for gss_localname
- Fix gss_localname with SPNEGO wrapping
~~~
