Open incredibleweirdo opened 10 years ago
Any thoughts on this? Is it possible I may have done something incorrectly in installing python packages? Here's the output I have of 'pip freeze'; I do seem to have one warning which I am unfamiliar with:
Landscape-Client==12.05
PAM==0.4.2
Pillow==2.2.1
Twisted-Core==11.1.0
apt-xapian-index==0.44
argparse==1.2.1
chardet==2.0.1
command-not-found==0.2.44
cssmin==0.2.0
## FIXME: could not find svn URL in dependency_links for this package:
distribute==0.6.24dev-r0
futures==2.1.4
gateone==1.2.0
httplib2==0.7.2
kerberos==1.0
keyring==0.9.2
language-selector==0.1
launchpadlib==1.9.12
lazr.restfulclient==0.12.0
lazr.uri==1.0.3
mutagen==1.22
oauth==1.0.1
ply==3.4
pyOpenSSL==0.12
pycrypto==2.4.1
pyserial==2.5
python-apt==0.8.3ubuntu7.1
python-debian==0.1.21ubuntu1
simplejson==2.3.2
slimit==0.8.1
tornado==3.1.1
ufw==0.31.1-1
unattended-upgrades==0.1
wadllib==1.3.0
wsgiref==0.1.2
zope.interface==3.6.1
A googling tells me running 'sudo pip install --upgrade distribute' will fix that warning.
This is definitely a bug (you didn't do anything wrong). I'll fix it.
Actually: Make sure there's no running instances of gateone.py (kill them all) and try running ./gateone.py --logging=debug
. Let's rule out the "address in use problem."
I can't seem to kill it. Every time I kill an instance of gateone, another pops up. Running ps aux | grep python, I get:
root 5467 0.2 0.8 95920 17808 ? Ss 13:19 0:00 python /opt/gateone/gateone.py --pid_file=/tmp/gateone.pid
1000 5488 0.0 0.0 9392 900 pts/2 S+ 13:21 0:00 grep --color=auto python
Killing the gateone process seems to simply spawn another one:
administrator@pnrsf-svrxdev:/opt/gateone$ ps aux | grep python
root 5467 0.2 0.8 95920 17808 ? Ss 13:19 0:00 python /opt/gateone/gateone.py --pid_file=/tmp/gateone.pid
1000 5488 0.0 0.0 9392 900 pts/2 S+ 13:21 0:00 grep --color=auto python
administrator@pnrsf-svrxdev:/opt/gateone$ sudo kill 5467
administrator@pnrsf-svrxdev:/opt/gateone$ ps aux | grep python
root 5498 4.5 0.8 95916 17804 ? Ss 13:22 0:00 python /opt/gateone/gateone.py --pid_file=/tmp/gateone.pid
1000 5508 0.0 0.0 9392 896 pts/2 S+ 13:22 0:00 grep --color=auto python
Run this:
ps aux | grep gateone.py | awk '{print $2}' | xargs kill
That should do it. If not run it with a -9 at the end:
ps aux | grep gateone.py | awk '{print $2}' | xargs kill -9
Okay, somehow there was an upstart conf file for gateone, which was restarting it after every kill. I used sudo service gateone stop to successfully stop it. Ran ./gateone.py --logging=debug with the SSO configured, and attempted to connect. Here's the output:
[I 131112 13:57:02 web:1635] 302 GET / (10.105.12.156) 1.20ms
[W 131112 13:57:02 web:1635] 401 GET /auth?next=%2F (10.105.12.156) 0.71ms
[E 131112 13:57:02 sso:174] Kerberos Error: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('', 100004))
[E 131112 13:57:02 web:1228] Uncaught exception GET /auth?next=%2F (10.105.12.156)
HTTPRequest(protocol='https', host='pnrsf-svrxdev:9443', method='GET', uri='/auth?next=%2F', version='HTTP/1.1', remote_ip='10.105.12.156', headers={'Accept-Language': 'en-US,en;q=0.8',
'Accept-Encoding': 'gzip,deflate,sdch', 'Host': 'pnrsf-svrxdev:9443', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'User-Agent': 'Mozilla/5.0 (Wind
ows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36', 'Connection': 'keep-alive', 'Cookie': 'testing=1', 'Cache-Control': 'max-age=0', 'Authorization
': 'Negotiate
snipped a bunch of the Negotiate packet here...
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 1115, in _stack_context_handle_exception
raise_exc_info((type, value, traceback))
File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 1298, in wrapper
result = method(self, *args, **kwargs)
File "/opt/gateone/auth.py", line 656, in get
self.get_authenticated_user(self._on_auth)
File "/opt/gateone/sso.py", line 151, in get_authenticated_user
self.auth_negotiate(auth_header, callback)
File "/opt/gateone/sso.py", line 177, in auth_negotiate
kerberos.authGSSServerClean(context)
UnboundLocalError: local variable 'context' referenced before assignment
[E 131112 13:57:02 web:1635] 500 GET /auth?next=%2F (10.105.12.156) 12.65ms
[W 131112 13:57:03 web:1635] 404 GET /favicon.ico (10.105.12.156) 27.09ms
What OS are you running on the client?
Also, is the clock synchronized on both the client and the server?
Windows 7 is the OS. Time is the same on both server on client, though synchronized to the second I can't say for sure.
Wait: Can you paste your /etc/krb5.conf from the server running Gate One? Did you add the HTTP/yourhost SPN to the host's keytab file? e.g. /etc/krb5.keytab
Also, can you confirm that you've added your realm to network.negotiate-auth.trusted-uris in Firefox (under about:config)?
Doh, you're using Chrome. Nevermind. It will use the same SSO config as IE.
I did not add the SPN to the keytab, no. I am attempting that via kadmin but I get "Client not found in Kerberos database while getting initial credentials". Which is quite wrong, as I can plainly see the SPN in AD when using the administrative tools in Windows.
Looking in the krb5.conf, I realize there may be a conflict here with another service installed on the server. I have PBIS Open installed to easily bind the Ubuntu server to the domain and allow login with domain accounts. I may have to come back to testing this with another Ubuntu install that does not have PBIS Open on it.
[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
default_keytab_name = /etc/krb5.keytab
default_realm = MYDOMAIN.PVT
[domain_realm]
.mydomain.pvt = MYDOMAIN.PVT
.otheraddomain.pvt = OTHERADDOMAIN.PVT
.anotherdomain.pvt = ANOTHERDOMAIN.PVT
.rks.mydomain.pvt = RKS.MYDOMAIN.PVT
[realms]
MYDOMAIN.PVT = {
auth_to_local = RULE:[1:$0\$1](^MYDOMAIN\.PVT\\.*)s/^MYDOMAIN\.PVT\\//
auth_to_local = RULE:[1:$0\$1](^OTHERDOMAIN\.PVT\\.*)s/^OTHERDOMAIN\.PVT/OTHERDOMAIN/
auth_to_local = RULE:[1:$0\$1](^ANOTHERDOMAIN\.PVT\\.*)s/^ANOTHERDOMAIN\.PVT/ANOTHERDOMAIN/
auth_to_local = RULE:[1:$0\$1](^RKS\.MYDOMAIN\.PVT\\.*)s/^RKS\.MYDOMAIN\.PVT/RKS/
auth_to_local = DEFAULT
}
[appdefaults]
pam = {
mappings = MYDOMAIN\\(.*) $1@MYDOMAIN.PVT
forwardable = true
validate = true
}
httpd = {
mappings = MYDOMAIN\\(.*) $1@MYDOMAIN.PVT
reverse_mappings = (.*)@MYDOMAIN\.PVT MYDOMAIN\$1
}
I can probably configure GateOne to use PAM, as any domain logins will then authenticate through PBIS Open, but then I lose single-sign-on.
This may not be a GateOne issue at all. Thanks for the help. If I get the bravery, I may get a new Ubuntu VM set up and manually configure kerberos - not looking forward to that, really :) Then I'll give the SSO another go. For now, anonymous login may have to do.
Last note - despite kvno working on the Ubuntu box, using Ktpass on a Windows server to export the keytab for the SPN gives an error about the SPN not being mapped to a user account. So this again may be my issue, as it's mapped to the computer account, not a user account.
I was using Ktpass because apparently kadmin is not compatible with ActiveDirectory, and thus the only way to add the SPN to they keytab is to create the keytab on Windows and merge it on the Ubuntu box. Something that may be helpful in the documentation.
Thanks again.
You can create a krb5.keytab using the computer object. You just have to know the computer object's password. From that you can create a keytab using ktutil which should work just fine.
I don't have the instructions on me at the moment but I'll see if I can post them tomorrow when I have access to my notes.
I'm looking for any help/guidance on getting kerberos SSO working in GateOne.
In /opt/gateone/settings/20authentication.conf I have:
Yet, when I attempt to open GateOne via Chrome, I seem to be redirected and then receive a server error. If my server URL is https://servername:443, I would see the URL redirect to https://servername:443/auth?next=%2F, and receive "500: Internal Server Error" in the browser window. As well, watching in the Linux terminal I see that GateOne stops with an exception:
Running GateOne with "auth": "none", works mostly fine.
It also seems that when GateOne fails for this reason, it doesn't unbind the port, and I have to explicitly kill the process.
I have verified with 'kinit -p myadname@MYADDOMAIN.PVT that I can authenticate successfully via kerberos on this server; ran nslookup on both servername.MYADDOMAIN.pvt and the IP address to verify DNS is giving proper responses; and 'kvno HTTP/servername@MYADDOMAIN.PVT' responds with "HTTP/servername@MYADDOMAIN.PVT: kvno = 7".
Any thoughts/guidance as to what could be wrong? This is on Ubuntu 12.04, in an Active Directory domain.