Re: [Freeipa-users] http service keytab for cname virtual host
On Thu, 2012-03-29 at 20:43 +0200, Natxo Asenjo wrote: > > On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce wrote: > Your configuration looks right, but I went back and looked at > your logs > and I saw a permission denied error. > > I would check that the apache user can access the keytab > file: /etc/httpd/conf/webserver01_http.keytab > If you are using RHEL/Fedora, also check the audit.log file in > case the > file is mislabeled and SELinux is preventing access to it. > > Bingo! selinux was indeed blocking it. > > :-) > > A few years ago I would have inmediately looked at selinux (or even > disabled it right away during the installation), but since fedora 12 > you guys have actually made it just work (TM), so I never thought of > that. > > This is really awesome, I am thoroughly enjoying ipa. > Yes SeLinux works well, use audit2allow to make a custom policy or apply the right label and don't disable SELinux please :-) If you have problems we can help, documenting on this list how to properly configure SELinux with IPA related deployments is considered on topic and will make up useful documentation for others. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Thu, Mar 29, 2012 at 8:25 PM, Simo Sorce wrote: > Your configuration looks right, but I went back and looked at your logs > and I saw a permission denied error. > > I would check that the apache user can access the keytab > file: /etc/httpd/conf/webserver01_http.keytab > If you are using RHEL/Fedora, also check the audit.log file in case the > file is mislabeled and SELinux is preventing access to it. > Bingo! selinux was indeed blocking it. :-) A few years ago I would have inmediately looked at selinux (or even disabled it right away during the installation), but since fedora 12 you guys have actually made it just work (TM), so I never thought of that. This is really awesome, I am thoroughly enjoying ipa. Thanks! -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Thu, 2012-03-29 at 08:58 +0200, Natxo Asenjo wrote: > On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce wrote: > > > CNAMEs should work just fine with the host's HTTP/A-name@REALM > key. > In fact I just tested a virtual host on my ipa server using a > cname and > it worked. > > great! > > > Can you post your (sanitized) mod_auth_kerb configuration ? > Also what browser are you testing with ? > > sure: > > > ServerName vhost.ipa.domain.tld > ServerAdmin webmas...@domain.tld > DocumentRoot /var/www/html/vhost1 > LogLevel debug > CustomLog/var/log/httpd/vhost1.access.log combined > ErrorLog /var/log/httpd/vhost1.error.log > > > AuthType Kerberos > AuthName "Kerberos Login" > KrbMethodNegotiate on > KrbMethodK5Passwd off > KrbServiceName HTTP > KrbAuthRealms IPA.DOMAIN.TLD > Krb5KeyTab /etc/httpd/conf/webserver01_http.keytab > KrbSaveCredentials on > Require valid-user > > > > > If you kdestroy and then kinit clean, and then try to access > the server > *only* using the CNAME you should see the browser has acquired > a ticket > for HTTP/A-name, You can use klist to verify. If this works > you know it > is a server side issue only. If you do not have the ticket, > there may be > a DNS/browser issue. > > yes, I get a HTTP/A-name ticket and a 500 internal server error on the > browser. So you are right, we have an apache issue only. If you can > shed some light on the the mod_kerb config that will be great. > Your configuration looks right, but I went back and looked at your logs and I saw a permission denied error. I would check that the apache user can access the keytab file: /etc/httpd/conf/webserver01_http.keytab If you are using RHEL/Fedora, also check the audit.log file in case the file is mislabeled and SELinux is preventing access to it. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce wrote: > > CNAMEs should work just fine with the host's HTTP/A-name@REALM key. > In fact I just tested a virtual host on my ipa server using a cname and > it worked. > great! > Can you post your (sanitized) mod_auth_kerb configuration ? > Also what browser are you testing with ? > sure: ServerName vhost.ipa.domain.tld ServerAdmin webmas...@domain.tld DocumentRoot /var/www/html/vhost1 LogLevel debug CustomLog/var/log/httpd/vhost1.access.log combined ErrorLog /var/log/httpd/vhost1.error.log AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealms IPA.DOMAIN.TLD Krb5KeyTab /etc/httpd/conf/webserver01_http.keytab KrbSaveCredentials on Require valid-user > If you kdestroy and then kinit clean, and then try to access the server > *only* using the CNAME you should see the browser has acquired a ticket > for HTTP/A-name, You can use klist to verify. If this works you know it > is a server side issue only. If you do not have the ticket, there may be > a DNS/browser issue. > yes, I get a HTTP/A-name ticket and a 500 internal server error on the browser. So you are right, we have an apache issue only. If you can shed some light on the the mod_kerb config that will be great. TIA. -- Groeten, Natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, 2012-03-28 at 17:30 -0400, Rob Crittenden wrote: > Natxo Asenjo wrote: > > hi, > > > > enable a kerberized site with the fqdn is very easy with freeipa but we > > would like to use virtual hosting and kerberized sites. > > > > I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then > > created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, > > configured the apache webserver and it works. > > > > Then I created a cname record (vhost) pointing to > > webserver01.ipa.domain.tld. I enabled virtual hosting in the apache > > webserver, configured the vhosts without kerberizing anything. Virtual > > hosts work as expected. > > > > But when I enable a kerberized directory in the vhost, then I see this > > in the log file: > > > > [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > > provide more information (, Permission denied) > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > > auth_type Kerberos > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > > auth_type Kerberos > > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client > > 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. > > > > When not using vhosts, it works although I see similar debugging info > > (but instead of h...@vhost.ipa.domain.tld, > > h...@webserver01.ipa.domain.tld). So I was wondering if it is possible > > to do this vhost thing. With the ipa tools I can only add service > > principals to joined hosts, not to cnames. > > > > It would be nice to have. Otherwise we need to have one server per > > kerberized site, a bit of an overkill really. > > You should be able to add a host entry for the vhost, perhaps with the > --force flag to let it add w/o a DNS A record. Then you should be able > to create the service. This shouldn't be necessary unless the vhost uses an A name, but then you need a key for each vhost, which is burdensome. I would keep this as a last resort after any other avenue failed. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
On Wed, 2012-03-28 at 22:49 +0200, Natxo Asenjo wrote: > hi, > > enable a kerberized site with the fqdn is very easy with freeipa but > we would like to use virtual hosting and kerberized sites. > > I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then > created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, > configured the apache webserver and it works. > > Then I created a cname record (vhost) pointing to > webserver01.ipa.domain.tld. I enabled virtual hosting in the apache > webserver, configured the vhosts without kerberizing anything. Virtual > hosts work as expected. > > But when I enable a kerberized directory in the vhost, then I see this > in the log file: > > [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may > provide more information (, Permission denied) > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and > auth_type Kerberos > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client > 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. > > When not using vhosts, it works although I see similar debugging info > (but instead of h...@vhost.ipa.domain.tld, > h...@webserver01.ipa.domain.tld). So I was wondering if it is possible > to do this vhost thing. With the ipa tools I can only add service > principals to joined hosts, not to cnames. > > It would be nice to have. Otherwise we need to have one server per > kerberized site, a bit of an overkill really. CNAMEs should work just fine with the host's HTTP/A-name@REALM key. In fact I just tested a virtual host on my ipa server using a cname and it worked. Can you post your (sanitized) mod_auth_kerb configuration ? Also what browser are you testing with ? If you kdestroy and then kinit clean, and then try to access the server *only* using the CNAME you should see the browser has acquired a ticket for HTTP/A-name, You can use klist to verify. If this works you know it is a server side issue only. If you do not have the ticket, there may be a DNS/browser issue. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] http service keytab for cname virtual host
Natxo Asenjo wrote: hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache webserver and it works. Then I created a cname record (vhost) pointing to webserver01.ipa.domain.tld. I enabled virtual hosting in the apache webserver, configured the vhosts without kerberizing anything. Virtual hosts work as expected. But when I enable a kerberized directory in the vhost, then I see this in the log file: [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied) [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. When not using vhosts, it works although I see similar debugging info (but instead of h...@vhost.ipa.domain.tld, h...@webserver01.ipa.domain.tld). So I was wondering if it is possible to do this vhost thing. With the ipa tools I can only add service principals to joined hosts, not to cnames. It would be nice to have. Otherwise we need to have one server per kerberized site, a bit of an overkill really. You should be able to add a host entry for the vhost, perhaps with the --force flag to let it add w/o a DNS A record. Then you should be able to create the service. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] http service keytab for cname virtual host
hi, enable a kerberized site with the fqdn is very easy with freeipa but we would like to use virtual hosting and kerberized sites. I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab, configured the apache webserver and it works. Then I created a cname record (vhost) pointing to webserver01.ipa.domain.tld. I enabled virtual hosting in the apache webserver, configured the vhosts without kerberizing anything. Virtual hosts work as expected. But when I enable a kerberized directory in the vhost, then I see this in the log file: [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied) [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client 192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client 192.168.0.21] Acquiring creds for h...@vhost.ipa.domain.tld. When not using vhosts, it works although I see similar debugging info (but instead of h...@vhost.ipa.domain.tld, h...@webserver01.ipa.domain.tld). So I was wondering if it is possible to do this vhost thing. With the ipa tools I can only add service principals to joined hosts, not to cnames. It would be nice to have. Otherwise we need to have one server per kerberized site, a bit of an overkill really. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users