Use mod_auth_gssapi instead of mod_auth_kerb.

https://fedorahosted.org/freeipa/ticket/4190

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

freeipa.spec.in

@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-krbV
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
 mkdir -p %{buildroot}%{_localstatedir}/run/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
 install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
 
 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -680,6 +681,7 @@ fi
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa.service

init/systemd/ipa.conf.tmpfiles

@@ -1,2 +1,3 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache

install/conf/ipa.conf

@@ -3,7 +3,6 @@
 #
 # This file may be overwritten on upgrades.
 #
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
 
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
-KrbConstrainedDelegationLock ipa
-
 # Protect /ipa and everything below it in webspace with Apache Kerberos auth
 <Location "/ipa">
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  KrbConstrainedDelegation on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Location>

ipalib/session.py

@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
 There are 4 major players:
 
   1. client
-  2. mod_auth_kerb (in Apache process)
+  2. mod_auth_gssapi (in Apache process)
   3. wsgi handler (in IPA wsgi python process)
   4. ds (directory server)
 
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
 
   2. Client sends post to /ipa/json.
 
-  3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+  3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
      authenticate negotiate.
 
   4. Client resends with credentials
 
-  5. mod_auth_kerb validates credentials
+  5. mod_auth_gssapi validates credentials
 
      a. if invalid replies 403 access denied (stops here)
 
@@ -550,7 +550,7 @@ A few notes about the session implementation.
 Changes to Apache's resource protection
 ---------------------------------------
 
-  * /ipa/json is no longer protected by mod_auth_kerb. This is
+  * /ipa/json is no longer protected by mod_auth_gssapi. This is
     necessary to avoid the negotiate expense in steps 3,4,5
     above. Instead the /ipa/json resource will be protected in our wsgi
     handler via the session cookie.
@@ -583,15 +583,15 @@ The new sequence is:
 
   5. client sends request to /ipa/login to obtain session credentials
 
-  6. mod_auth_kerb replies 401 negotiate on /ipa/login
+  6. mod_auth_gssapi replies 401 negotiate on /ipa/login
 
   7. client sends credentials to /ipa/login
 
-  8. mod_auth_kerb validates credentials
+  8. mod_auth_gssapi validates credentials
 
      a. if valid
 
-        - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+        - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
           invoked and does the following:
 
           * establishes session for client
@@ -600,7 +600,7 @@ The new sequence is:
 
      a. if invalid
 
-        - mod_auth_kerb sends 403 access denied (processing stops)
+        - mod_auth_gssapi sends 403 access denied (processing stops)
 
   9. client now posts the same data again to /ipa/json including
      session cookie. Processing repeats starting at step 2 and since
@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
 calls are marshalled and unmarshalled.
 
 Under the new scheme /ipa/xml will continue to be Kerberos protected
-at all times. Apache's mod_auth_kerb will continue to require the
+at all times. Apache's mod_auth_gssapi will continue to require the
 client provides valid Kerberos credentials.
 
 When the WSGI handler routes to /ipa/xml the Kerberos credentials will
 be extracted from the KRB5CCNAME environment variable as provided by
-mod_auth_kerb. Everything else remains the same.
+mod_auth_gssapi. Everything else remains the same.
 
 '''
 

ipaserver/rpcserver.py

@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
     def __call__(self, environ, start_response):
         self.debug('WSGI login_kerberos.__call__:')
 
-        # Get the ccache created by mod_auth_kerb
+        # Get the ccache created by mod_auth_gssapi
         user_ccache_name=environ.get('KRB5CCNAME')
         if user_ccache_name is None:
             return self.internal_error(environ, start_response,