Uploaded image for project: 'RHEL Documentation'
  1. RHEL Documentation
  2. RHELDOCS-19805

auth_to_local_names failed to map to root user

XMLWordPrintable

    • Moderate
    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • CCS 2025-5, CCS 2025-6
    • None
    • Bug Fix
    • Hide
      .`mod_auth_gssapi` now respects `GssapiLocalName` setting for user mapping

      Before the update `mod_auth_gssapi-1.6.1-9.el8`, a regression allowed `mod_auth_gssapi` to convert a principal to a local username using the `auth_to_local_names` setting from the `krb5` configuration without explicitly enabling this behavior. As a result, an `httpd` setup using `mod_auth_gssapi` could unintentionally map client identities based on the `auth_to_local_names` setting, even if the `GssapiLocalName` option was not set to `On`. With this update, the original behavior is restored. `GssapiLocalName` must now be explicitly set to `On` in the `httpd` configuration to enable user mapping via `auth_to_local_names`.
      Show
      .`mod_auth_gssapi` now respects `GssapiLocalName` setting for user mapping Before the update `mod_auth_gssapi-1.6.1-9.el8`, a regression allowed `mod_auth_gssapi` to convert a principal to a local username using the `auth_to_local_names` setting from the `krb5` configuration without explicitly enabling this behavior. As a result, an `httpd` setup using `mod_auth_gssapi` could unintentionally map client identities based on the `auth_to_local_names` setting, even if the `GssapiLocalName` option was not set to `On`. With this update, the original behavior is restored. `GssapiLocalName` must now be explicitly set to `On` in the `httpd` configuration to enable user mapping via `auth_to_local_names`.
    • Done

      Description of problem:
      Customer rely on the following config to map to root user for their web application

      [realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com
  auth_to_local_names = {
    alice = root
    bob = root
  }
 }

      However, they can not do so after upgrade their
      krb5-workstation from krb5-workstation-1.18.2-8.3.el8_4 to 1.18.2-22.el8_7

      httpd log before upgrade (alice become root, customer want this)

      10.0.0.101 - - [15/Mar/2023:12:49:33 +1030] "GET /webapp/ HTTP/1.1" 401 381 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - root [15/Mar/2023:12:49:33 +1030] "GET /webapp/ HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - root [15/Mar/2023:12:49:33 +1030] "GET /webapp/CBS.css HTTP/1.1" 304 - "http://appserver1/webapp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"

      http log after upgrade (alice is still alice)

      10.0.0.101 - alice [15/Mar/2023:12:53:04 +1030] "GET /webapp/ HTTP/1.1" 304 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - alice [15/Mar/2023:12:53:04 +1030] "GET /webapp/CBS.css HTTP/1.1" 304 - "http://appserver1/webapp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"
10.0.0.101 - alice [15/Mar/2023:12:53:04 +1030] "GET /webapp/images/poweredbyebix.gif HTTP/1.1" 304 - "http://appserver1/webapp/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Zoom 3.6.0)"

      However, alice map to cindy (non-root) worked even after upgrade:

      10.0.0.101 - cindy [16/Feb/2023:09:38:05 +1030] "GET /webapp HTTP/1.1" 301 230 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
10.0.0.101 - cindy [16/Feb/2023:09:38:05 +1030] "GET /webapp/ HTTP/1.1" 200 1853 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"
10.0.0.101 - cindy [16/Feb/2023:09:38:05 +1030] "GET /webapp/CBS.css HTTP/1.1" 200 1548 "http://appserver3/webapp/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36"

      Version-Release number of selected component (if applicable):
      krb5-workstation-1.18.2-8.3.el8_4 to 1.18.2-22.el8_7

      How reproducible:
      Always with krb5-workstation-1.18.2-22.el8_7
      But not with krb5-workstation-1.18.2-8.3.el8_4

      Steps to Reproduce:
      1. Use web app login as alice

      Actual results:

      alice is still alice, auth_to_local_names did not work

      Expected results:

      alice become root, auth_to_local_names works

      Additional info:

      While mod_auth_gssapi upgrade seems related (1.6.1-7.1.el8 - 1.6.1-9.el8),
      thus we tested downgrade, behaviour does not change.

      mod_auth_gssapi that seems related:

      * Thu Apr 28 2022 Francisco Trivino <[email protected]> 1.6.1-9
- Add missing repos to the osci tests
- Fix gss localname test to work with older gssapi version
- Resolves: #2083122
- Add ability to expose the used mechanism
- Resolves: #2046231


* Wed Apr 27 2022 Francisco Trivino <[email protected]> 1.6.1-8
- Add test for gss_localname
- Fix gss_localname with SPNEGO wrapping

              rhn-support-gfialova Gabriela Fialova
              rhn-support-dchen Ding Yi Chen
              Filip Hanzelka
              Michal Stubna Michal Stubna
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: