I had the opportunity the last two days to get Foreman out of production use and test it intensively. The following was tested on a Debian 10.10 with Apache 2.4.38 including mod_auth_kerb without FreeIPA in combination with Foreman 2.4, 2.4.1 and 2.5.1.
The file /etc/apache2/conf.d/auth_kerb.conf looks like this:
<Location /users/extlogin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbSaveCredentials off
KrbMethodK5Passwd on
KrbAuthRealms REALM.NAME
Krb5KeyTab /.../krb5-apache.keytab
KrbLocalUserMapping on
require valid-user
ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>'
</Location>
The lookup_identity.conf file is no longer in use, it is not relevant to our scenario.
I set the logging from apache as well as from foreman to debug.
Scenario 1 - Foreman with Puma:
Apache receives the Kerberos Ticket, acknowledges in the log that it is cutting off the realm, that it is a valid_user and forwards the information to the foreman.
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP@...
Verifying client data using KRB5 GSS-API
Client delegated us their credential
GSS-API token of length 22 bytes will be sent back
kerb_authenticate_a_name_to_local_name user@... -> user
AH01626: authorization result of Require valid-user : granted
AH01626: authorization result of <RequireAny>: granted
AH01143: Running scheme http handler (attempt 0)
AH00942: HTTP: has acquired connection for (foreman)
AH00944: connecting http://foreman/users/extlogin to foreman:80
AH02545: http: has determined UDS as /run/foreman.sock
AH00947: connected /users/extlogin to httpd-UDS:0
AH00943: http: has released connection for (foreman)
AH02001: Connection closed to child 141 with standard shutdown (server ...:443)
In the production log of the Foreman you can read only:
Started GET "/users/extlogin" for *.*.*.* at 2021-06-29 15:26:19 +0200
Processing by UsersController#extlogin as HTML
SSO failed
falling back to login form
Redirected to https://.../users/login
Filter chain halted as :require_login rendered or redirected
If I remove in /usr/share/foreman/app/controllers/application_controller.rb and /usr/share/foreman/app/services/sso/apache.rb all leading HTTP_ in front of REMOTE_USER, REMOTE_USER_EMAIL etc. then nothing changes.
I have also tried other solutions from the Internet, some of which scriner has already tried, as I noticed when I reread this topic, unfortunately without success. The only noticeable change came with:
RequestHeader set REMOTE_USER "%{REMOTE_USER}s"
RequestHeader set HTTP_REMOTE_USER "%{HTTP_REMOTE_USER}s"
After I added it to …/sites-enabled/05-foreman-ssl.conf above ``RequestHeader set X_FORWARDED_PROTO “https”``` and commented out the “unset” lines below it, the foreman seemed to accept Kerberos authentication, but displayed an error that the user’s name must not be empty. I wasn’t sure what name exactly was meant since it didn’t explicitly say “username”. Unfortunately I couldn’t find the exact wording, although I documented everything separately.
Scenario 2 - Foreman with Passenger:
From the existing environment, I run foreman-installer --foreman-passenger true. Now passenger is running instead of puma. Out of the box, in the files /usr/share/foreman/app/controllers/application_controller.rb and /usr/share/foreman/app/services/sso/apache.rb the variables still have HTTP_ in front of them and Kerberos authentication fails. But if I remove this HTTP_ in front of the variables, I can log in via Kerberos. Regardless of this, node.rb is no longer usable to query the hosts. The error is always that the request was made with a certificate without DN and is therefore not allowed. Strange, but it works with puma. I have run this process several times to be sure that I have not changed anything else. Unfortunately, I could not determine here where the error comes from exactly and why. Some files like …/sites-enabled/05-foreman-ssl.conf or the Foreman configurations under /etc/foreman/ I could compare with another working production system ( Foreman 1.24 ) and the difference was not worth mentioning. Also the puppetserver didn’t seem to be changed. At least I didn’t find any changed configuration. But I also didn’t used find to list all the last changed files, in retrospect I should have.
During my internet research I noticed that the program “zammad” might also have had this problem in connection with puma. Unfortunately, I have not found out exactly. Probably due to my inexperience in analyzing such problems I must have missed something, but my impression is that mod_auth_kerb passes the information in the HTTP header with REMOTE_USER and puma expects HTTP_REMOTE_USER and thus it fails.
I hope that my explanations can be useful in some way or that someone has found a solution in the meantime.