Hello All, We're in the process of upgrading a pool of Debian WebKDC nodes from "3.6.0-1" to the current squeeze-backport version "4.1.0-1~bpo60+1". I was hoping to upgrade each WebKDC in turn, and have them all behave nicely in the process (and testing indicated that this would be possible).
However, with 1 node upgraded and added to the round-robin DNS I'm seeing an issue that indicates that anyone trying to authenticate to a WAS for the first time, via the 4.1 node, gets prompted for credentials, even if moments before they successfully authenticated to one of the other (3.6) WebKDCs (so it's not acting like Single Sign-on anymore). Looking at the apache error log on the upgraded node I see entries like the following (all on one line and mildly redacted): #---8<----------------------------------------------------------------- [notice] mod_webkdc: event=requestToken from=127.0.0.1 clientIp=XX.XX.XX.XX server=krb5:webauth/[email protected] url=https://was-url-for-redirect user=<unknown> rtt=id sa=webkdc lec=15 lem="need a proxy token" #---8<----------------------------------------------------------------- usually followed shortly by a similar entry that includes the real username and will pass them through to the WAS as expected. #---8<----------------------------------------------------------------- [notice] mod_webkdc: event=requestToken from=127.0.0.1 clientIp=XX.XX.XX.XX server=krb5:webauth/[email protected] url=https://was-url-for-redirect user=real-username rtt=id sa=webkdc login=password ifactors=p sfactors=p lec=0 #---8<----------------------------------------------------------------- Has anyone else seen similar issues occurring while upgrading pools of WebKDCs? I was hoping to (relatively) seamlessly introduce upgraded nodes during regular maintenance windows but, at the moment, I don't know if the issue I'm seeing is due to a mix of WebKDC versions not playing nicely together, or whether there's something else (possibly in our custom login CGIs) that's causing a previous SSO session to not be honoured per-WAS, in which case I'd like to find a solution before all our WebKDCs start to exhibit the same behaviour after being upgraded. Thanks in advance for any pointers, hints, and tips. Dameon Wagner -- ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< Dameon Wagner, Systems Development and Support Team IT Services, University of Oxford ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
