FreeIPA Foreman and Kerberos

Support
1

**Problem:Not able to configure Kerberos Autologin via FreeIPA

**Expected outcome:When get a ticket from FreeIPA, should autologin (already logged in using user/password), however getting error

Foreman and Proxy versions:
2.1.2

**Foreman and Proxy plugin versions:remote execution, ansible and freeipa authentication

Distribution and version:
CentOS 7.8.2003

**Other relevant data:The following errors appear in apache’s error.log (debug on) once a ticket is get from FreeIPA - however using the same kerberos ticket, was able to autologin to FreeIPA’s webinterface using FireFox

[Tue Sep 01 08:14:40.866706 2020] [auth_kerb:debug] [pid 16188] src/mod_auth_kerb.c(1155): [client redacted:50587] GSS-API major_status:00010000, minor_status:000186a5
[Tue Sep 01 08:14:40.866739 2020] [auth_kerb:error] [pid 16188] [client redacted:50587] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

2

i think i’ve managed to solve the above error (rolling out and enrolling the Foreman instance) but still i can’t get auto-logged-in no matter that the apache log now shows that the user is properly authenticated:

[Tue Sep 01 12:58:55.795210 2020] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1295): [client redacted:64309] Acquiring creds for HTTP@redacted
[Tue Sep 01 12:58:55.799335 2020] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1708): [client redacted:64309] Verifying client data using KRB5 GSS-API
[Tue Sep 01 12:58:55.801291 2020] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1724): [client redacted:64309] Client delegated us their credential
[Tue Sep 01 12:58:55.801322 2020] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1743): [client redacted:64309] GSS-API token of length 22 bytes will be sent back
[Tue Sep 01 12:58:55.803075 2020] [auth_kerb:debug] [pid 1597] src/mod_auth_kerb.c(1855): [client redacted:64309] kerb_authenticate_a_name_to_local_name redacted@domain -> redacted
[Tue Sep 01 12:58:57.887328 2020] [authnz_pam:info] [pid 1597] [client redacted:64309] PAM authentication passed for user redacted
[Tue Sep 01 12:58:57.887877 2020] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client redacted:64309] AH01626: authorization result of Require pam-account foreman: granted
[Tue Sep 01 12:58:57.887893 2020] [authz_core:debug] [pid 1597] mod_authz_core.c(809): [client redacted:64309] AH01626: authorization result of : granted
[Tue Sep 01 12:58:57.888004 2020] [intercept_form_submit:debug] [pid 1597] mod_intercept_form_submit.c(416): [client redacted:64309] intercept_form_submit_init invoked
[Tue Sep 01 12:58:57.888013 2020] [intercept_form_submit:debug] [pid 1597] mod_intercept_form_submit.c(418): [client redacted:64309] skipping, no POST request
[Tue Sep 01 12:58:57.888305 2020] [lookup_identity:debug] [pid 1597] mod_lookup_identity.c(445): [client redacted:64309] invoked for user redacted
[Tue Sep 01 12:58:57.891173 2020] [lookup_identity:info] [pid 1597] [client redacted:64309] dbus call GetUserGroups returned group redacted
[Tue Sep 01 12:58:57.891205 2020] [lookup_identity:info] [pid 1597] [client redacted:64309] dbus call GetUserGroups returned group ipausers
[Tue Sep 01 12:58:57.891978 2020] [lookup_identity:info] [pid 1597] [client redacted:64309] dbus call GetUserAttr returned attr lastname=redcated
[Tue Sep 01 12:58:57.892013 2020] [lookup_identity:info] [pid 1597] [client redacted:64309] dbus call GetUserAttr returned attr email=redacted@domain
[Tue Sep 01 12:58:57.892022 2020] [lookup_identity:info] [pid 1597] [client redacted:64309] dbus call GetUserAttr returned attr firstname=yavor
[Tue Sep 01 12:58:57.892078 2020] [proxy:debug] [pid 1597] mod_proxy.c(1123): [client redacted:64309] AH01143: Running scheme http handler (attempt 0)
[Tue Sep 01 12:58:57.892121 2020] [proxy:debug] [pid 1597] proxy_util.c(2203): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Tue Sep 01 12:58:57.892132 2020] [proxy:debug] [pid 1597] proxy_util.c(2256): [client redacted:64309] AH00944: connecting http://127.0.0.1:3000/users/extlogin to 127.0.0.1:3000
[Tue Sep 01 12:58:57.892236 2020] [proxy:debug] [pid 1597] proxy_util.c(2426): [client redacted:64309] AH00947: connected /users/extlogin to 127.0.0.1:3000
[Tue Sep 01 12:58:57.892403 2020] [proxy:debug] [pid 1597] proxy_util.c(2802): AH02824: HTTP: connection established with 127.0.0.1:3000 (127.0.0.1)
[Tue Sep 01 12:58:57.892427 2020] [proxy:debug] [pid 1597] proxy_util.c(2942): AH00962: HTTP: connection complete to 127.0.0.1:3000 (127.0.0.1)
[Tue Sep 01 12:58:57.920940 2020] [proxy:debug] [pid 1597] proxy_util.c(2218): AH00943: http: has released connection for (127.0.0.1)
[Tue Sep 01 12:58:57.928829 2020] [ssl:info] [pid 1599] [client redacted:64321] AH01964: Connection to child 6 established (server redacted:443)
[Tue Sep 01 12:58:57.929680 2020] [ssl:debug] [pid 1599] ssl_engine_kernel.c(1891): [client redacted:64321] AH02043: SSL virtual host for servername redacted found
[Tue Sep 01 12:58:57.932764 2020] [ssl:debug] [pid 1599] ssl_engine_kernel.c(1824): [client redacted:64321] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Tue Sep 01 12:58:57.959838 2020] [ssl:debug] [pid 1597] ssl_engine_io.c(993): [client redacted:64309] AH02001: Connection closed to child 4 with standard shutdown (server redacted:443)
[Tue Sep 01 12:58:57.970712 2020] [ssl:debug] [pid 1599] ssl_engine_kernel.c(225): [client redacted:64321] AH02034: Initial (No.1) HTTPS request received for child 6 (server redacted:443)
[Tue Sep 01 12:58:57.970945 2020] [authz_core:debug] [pid 1599] mod_authz_core.c(835): [client redacted:64321] AH01628: authorization result: granted (no directives)
[Tue Sep 01 12:58:57.971029 2020] [intercept_form_submit:debug] [pid 1599] mod_intercept_form_submit.c(416): [client redacted:64321] intercept_form_submit_init invoked
[Tue Sep 01 12:58:57.971039 2020] [intercept_form_submit:debug] [pid 1599] mod_intercept_form_submit.c(418): [client redacted:64321] skipping, no POST request
[Tue Sep 01 12:58:57.971363 2020] [proxy:debug] [pid 1599] mod_proxy.c(1123): [client redacted:64321] AH01143: Running scheme http handler (attempt 0)
[Tue Sep 01 12:58:57.971394 2020] [proxy:debug] [pid 1599] proxy_util.c(2203): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Tue Sep 01 12:58:57.971402 2020] [proxy:debug] [pid 1599] proxy_util.c(2256): [client redacted:64321] AH00944: connecting http://127.0.0.1:3000/users/login to 127.0.0.1:3000
[Tue Sep 01 12:58:57.971506 2020] [proxy:debug] [pid 1599] proxy_util.c(2426): [client redacted:64321] AH00947: connected /users/login to 127.0.0.1:3000
[Tue Sep 01 12:58:57.971629 2020] [proxy:debug] [pid 1599] proxy_util.c(2802): AH02824: HTTP: connection established with 127.0.0.1:3000 (127.0.0.1)
[Tue Sep 01 12:58:57.971657 2020] [proxy:debug] [pid 1599] proxy_util.c(2942): AH00962: HTTP: connection complete to 127.0.0.1:3000 (127.0.0.1)
[Tue Sep 01 12:58:58.014643 2020] [proxy:debug] [pid 1599] proxy_util.c(2218): AH00943: http: has released connection for (127.0.0.1)

3

Hello @k1ck3r,

Nice work with the authentication part, can you please share your foreman logs that are present in /var/lib/foreaman/production.log (if I am not mistaken that’s the path for logs :slight_smile: )

Thanks,

1 Like
4

Do you have FreeIPA configured as an external authentication resource? And added your FreeIPA user to foreman with authentication external?

5

Foreman 2.1 switched the default web server from passenger to puma, which caused external authentication to stop working. This is being worked on in Bug #30535: When using puma with foreman 2.1 freeipa external authentication does not work - Installer - Foreman. Until it is fixed a workaround is to switch the web server back to passenger, by running foreman-installer --foreman-passenger true.

6

I’ve also seen that /etc/httpd/conf.d/passenger.conf was removed in the switch to Puma. This file is not managed by the installer (since it contains paths with the exact Passenger version it was impossible to do right). yum reinstall mod_passenger is typically the easiest way to bring it back.

7

I thought i would never have an answer to my issue. Thank you very much all!! Appreciate your effort since my post doesn’t meet ANY requirement from the forum :wink:

in order to have a proper answer for your replies, will summarize my diggings into this (didn’t succeeded yet):

  1. Authentication against IPA is happening (using realms credentials) - mapping groups also
  2. I’ve already configured the External authentication in Foreman, login works tho as of 1. :slight_smile:
  3. Turned debugging of Apache (i’ll cross the line with questions, but nginx?) found that once i’ve open Foreman, it makes connection to IPA, it says that the username is recognized, but still web says “Kerberos authentication didn’t pass”
  4. FreeIPA’s web interface doesn’t have any issues with Kerberos - meaning that automatically logs in if there is a Kerberos ticket described in the enviroments

However i saw that seems, it’s something related to a bug and a suggestion to enable passenger. Are there any additional steps to be taken beside the foreman-installer to enable the passenger.

Thank you very much for your replies!