Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Keystone Kerberos configuration

Hello all,

I am trying to coerce Keystone to work with Kerberos authentication however am hitting a brick wall. For the moment I just want to provide the ability to use Kerberos with the openstack python client, i'm not looking at Horizon/WebSSO at this time.

Keystone is already configured for LDAP authentication against the domain 'bbp'.

We are running Mitaka and have configured the location block in apache for keystone as per [1]

My openrc file is [2]

When trying to authenticate I get [3] from my client with an error indicating an invalid token, however on the apache side through the logs it indicates that I was actually successful with Kerberos authentication [4].

I'm struggling to find the missing link through documentation. Has anyone else configured Kerberos with Keystone and knows what am I missing here?

1]

<Location "/krb/v3/auth/tokens">
     SetEnv REMOTE_DOMAIN bbp
     LogLevel debug
     AuthType Kerberos
     AuthName "Kerberos Login"
     KrbMethodNegotiate on
     KrbMethodK5Passwd on
     KrbServiceName Any
     KrbAuthRealms INTRANET.EPFL.CH
     Krb5KeyTab /etc/httpd.keytab
     KrbLocalUserMapping on
     require valid-user
 </Location>

2]

#!/bin/bash
export OS_AUTH_URL=http://bbpcb016.epfl.ch:5000/krb/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_ID=907b7b58d44d419e94aa0851206ceaa0
export OS_PROJECT_NAME="test"
export OS_AUTH_TYPE=v3kerberos

3]

$ openstack server list
WARNING: openstackclient.common.utils is deprecated and will be removed after Jun 2017. Please use osc_lib.utils
generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/requests_kerberos/kerberos_.py", line 144, in generate_request_header
    negotiate_resp_value)
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
(('Invalid token was supplied', 589824), ('Success', 100001))
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/requests_kerberos/kerberos_.py", line 144, in generate_request_header
    negotiate_resp_value)
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
The request you have made requires authentication. (HTTP 401) (Request-ID: req-457ba760-1aa7-425b-b9d4-64434711d5b0)

4]

    ==> /var/log/httpd/keystone_wsgi_main_access.log <==
128.167.23.68 - - [20/Sep/2016:09:30:36 +0200] "POST /krb/v3/auth/tokens HTTP/1.1" 401 381 "-" "osc-lib keystoneauth1/2.12.1 python-requests/2.11.1 CPython/2.7.12"

==> /var/log/httpd/keystone_wsgi_main_error.log <==
[Tue Sep 20 09:30:36.734551 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Tue Sep 20 09:30:36.734575 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Tue Sep 20 09:30:36.734590 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1954): [client 128.167.23.68:51410] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Sep 20 09:30:36.734638 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1708): [client 128.167.23.68:51410] Verifying client data using KRB5 GSS-API
[Tue Sep 20 09:30:36.735406 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1724): [client 128.167.23.68:51410] Client didn't delegate us their credential
[Tue Sep 20 09:30:36.735417 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1743): [client 128.167.23.68:51410] GSS-API token of length 156 bytes will be sent back
[Tue Sep 20 09:30:36.735579 2016] [auth_kerb:debug] [pid 19774] src/mod_auth_kerb.c(1855): [client 128.167.23.68:51410] kerb_authenticate_a_name_to_local_name morrice@INTRANET.EPFL.CH -> morrice
[Tue Sep 20 09:30:36.735599 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of Require valid-user : granted
[Tue Sep 20 09:30:36.735604 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of <RequireAny>: granted
[Tue Sep 20 09:30:36.735729 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of Require all granted: granted
[Tue Sep 20 09:30:36.735748 2016] [authz_core:debug] [pid 19774] mod_authz_core.c(809): [client 128.167.23.68:51410] AH01626: authorization result of <RequireAny>: granted

==> /var/log/keystone/keystone.log <==
2016-09-20 09:30:36.736 19766 DEBUG keystone.middleware.auth [req-f558e1a3-92ce-4fb2-bfab-58e959db16ef - - - - -] There is either no auth token in the request or the certificate issuer is not trusted. No auth context will be set. _build_auth_context /usr/lib/python2.7/site-packages/keystone/middleware/auth.py:71
2016-09-20 09:30:36.808 19766 INFO keystone.common.wsgi [req-f558e1a3-92ce-4fb2-bfab-58e959db16ef - - - - -] POST http://bbpcb016.epfl.ch:5000/krb/v3/auth/tokens
2016-09-20 09:30:36.835 19766 WARNING keystone.common.wsgi [req-f558e1a3-92ce-4fb2-bfab-58e959db16ef - - - - -] Authorization failed. The request you have made requires authentication. from 128.167.23.68