Keystone Kerberos configuration

asked 2016-09-20 02:46:19 -0500

fgls gravatar image

Hello all,

I am trying to coerce Keystone to work with Kerberos authentication however am hitting a brick wall. For the moment I just want to provide the ability to use Kerberos with the openstack python client, i'm not looking at Horizon/WebSSO at this time.

Keystone is already configured for LDAP authentication against the domain 'bbp'.

We are running Mitaka and have configured the location block in apache for keystone as per [1]

My openrc file is [2]

When trying to authenticate I get [3] from my client with an error indicating an invalid token, however on the apache side through the logs it indicates that I was actually successful with Kerberos authentication [4].

I'm struggling to find the missing link through documentation. Has anyone else configured Kerberos with Keystone and knows what am I missing here?

1]

<Location "/krb/v3/auth/tokens">
     SetEnv REMOTE_DOMAIN bbp
     LogLevel debug
     AuthType Kerberos
     AuthName "Kerberos Login"
     KrbMethodNegotiate on
     KrbMethodK5Passwd on
     KrbServiceName Any
     KrbAuthRealms INTRANET.EPFL.CH
     Krb5KeyTab /etc/httpd.keytab
     KrbLocalUserMapping on
     require valid-user
 </Location>

2]

#!/bin/bash
export OS_AUTH_URL=http://bbpcb016.epfl.ch:5000/krb/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_ID=907b7b58d44d419e94aa0851206ceaa0
export OS_PROJECT_NAME="test"
export OS_AUTH_TYPE=v3kerberos

3]

$ openstack server list
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/requests_kerberos/kerberos_.py", line 144, in generate_request_header
    negotiate_resp_value)
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
(('Invalid token was supplied', 589824), ('Success', 100001))
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/requests_kerberos/kerberos_.py", line 144, in generate_request_header
    negotiate_resp_value)
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
The request you have made requires authentication. (HTTP 401) (Request-ID: req-457ba760-1aa7-425b-b9d4-64434711d5b0)

4]

    ==> /var/log/httpd/keystone_wsgi_main_access.log <==
128.167.23.68 - - [20/Sep/2016:09:30:36 +0200] "POST /krb/v3/auth/tokens HTTP/1.1" 401 381 "-" "osc-lib keystoneauth1/2.12.1 python-requests/2.11.1 CPython/2.7.12"

==> /var/log/httpd/keystone_wsgi_main_error.log <==
[Tue Sep 20 09:30:36.734551 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Sep 20 09:30:36.734575 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Sep 20 09:30:36.734590 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1954): [client 128.167.23.68:51410] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Sep 20 09:30:36.734638 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1708): [client 128.167.23.68:51410] Verifying client data using KRB5 GSS-API
[Tue Sep 20 09:30:36.735406 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1724): [client 128.167.23.68:51410] Client didn't delegate us their credential
[Tue Sep 20 09:30:36.735417 2016 ...
(more)
edit retag flag offensive close merge delete