Help? Cannot get SSO working

[incredibleweirdo]

I'm looking for any help/guidance on getting kerberos SSO working in GateOne.

In /opt/gateone/settings/20authentication.conf I have:

"auth": "kerberos",
"pam_realm": "servername",  # Gateone seems to have automatically populated this
"pam_service": "login",
"ssl_auth": "none",
"sso_keytab": null,
"sso_realm": "MYADDOMAIN.PVT",
"sso_service": "HTTP"

Yet, when I attempt to open GateOne via Chrome, I seem to be redirected and then receive a server error. If my server URL is https://servername:443, I would see the URL redirect to https://servername:443/auth?next=%2F, and receive "500: Internal Server Error" in the browser window. As well, watching in the Linux terminal I see that GateOne stops with an exception:

[I 131108 13:10:14 gateone:4742] Clearing cache_cir: /tmp/gateone_cache
[I 131108 13:10:14 gateone:4745] pid file removed
Traceback (most recent call last):
  File "./gateone.py", line 4748, in <module>
    main()
  File "./gateone.py", line 4718, in main
    https_server.listen(port=go_settings['port'], address="0.0.0.0")
  File "/usr/local/lib/python2.7/dist-packages/tornado/tcpserver.py", line 117, in listen
    sockets = bind_sockets(port, address=address)
  File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", line 90, in bind_sockets
    sock.bind(sockaddr)
  File "/usr/lib/python2.7/socket.py", line 224, in meth
    return getattr(self._sock,name)(*args)
socket.error: [Errno 98] Address already in use
Exception AttributeError: "'NoneType' object has no attribute 'running_instances'" in <bound method MultiprocessRunner.__del__ of <go_async.MultiprocessRunner object at 0x24d8f90>> ignored

Running GateOne with "auth": "none", works mostly fine.

It also seems that when GateOne fails for this reason, it doesn't unbind the port, and I have to explicitly kill the process.

I have verified with 'kinit -p myadname@MYADDOMAIN.PVT that I can authenticate successfully via kerberos on this server; ran nslookup on both servername.MYADDOMAIN.pvt and the IP address to verify DNS is giving proper responses; and 'kvno HTTP/servername@MYADDOMAIN.PVT' responds with "HTTP/servername@MYADDOMAIN.PVT: kvno = 7".

Any thoughts/guidance as to what could be wrong? This is on Ubuntu 12.04, in an Active Directory domain.

[incredibleweirdo]

Any thoughts on this? Is it possible I may have done something incorrectly in installing python packages? Here's the output I have of 'pip freeze'; I do seem to have one warning which I am unfamiliar with:

Landscape-Client==12.05
PAM==0.4.2
Pillow==2.2.1
Twisted-Core==11.1.0
apt-xapian-index==0.44
argparse==1.2.1
chardet==2.0.1
command-not-found==0.2.44
cssmin==0.2.0
## FIXME: could not find svn URL in dependency_links for this package:
distribute==0.6.24dev-r0
futures==2.1.4
gateone==1.2.0
httplib2==0.7.2
kerberos==1.0
keyring==0.9.2
language-selector==0.1
launchpadlib==1.9.12
lazr.restfulclient==0.12.0
lazr.uri==1.0.3
mutagen==1.22
oauth==1.0.1
ply==3.4
pyOpenSSL==0.12
pycrypto==2.4.1
pyserial==2.5
python-apt==0.8.3ubuntu7.1
python-debian==0.1.21ubuntu1
simplejson==2.3.2
slimit==0.8.1
tornado==3.1.1
ufw==0.31.1-1
unattended-upgrades==0.1
wadllib==1.3.0
wsgiref==0.1.2
zope.interface==3.6.1

A googling tells me running 'sudo pip install --upgrade distribute' will fix that warning.

[liftoff]

This is definitely a bug (you didn't do anything wrong). I'll fix it.

[liftoff]

Actually: Make sure there's no running instances of gateone.py (kill them all) and try running ./gateone.py --logging=debug. Let's rule out the "address in use problem."

[incredibleweirdo]

I can't seem to kill it. Every time I kill an instance of gateone, another pops up. Running ps aux | grep python, I get:

root      5467  0.2  0.8  95920 17808 ?        Ss   13:19   0:00 python /opt/gateone/gateone.py --pid_file=/tmp/gateone.pid
1000      5488  0.0  0.0   9392   900 pts/2    S+   13:21   0:00 grep --color=auto python

Killing the gateone process seems to simply spawn another one:

administrator@pnrsf-svrxdev:/opt/gateone$ ps aux | grep python                                                                                                                                
root      5467  0.2  0.8  95920 17808 ?        Ss   13:19   0:00 python /opt/gateone/gateone.py --pid_file=/tmp/gateone.pid
1000      5488  0.0  0.0   9392   900 pts/2    S+   13:21   0:00 grep --color=auto python
administrator@pnrsf-svrxdev:/opt/gateone$ sudo kill 5467                                                                                                                                      
administrator@pnrsf-svrxdev:/opt/gateone$ ps aux | grep python                                                                                                                                
root      5498  4.5  0.8  95916 17804 ?        Ss   13:22   0:00 python /opt/gateone/gateone.py --pid_file=/tmp/gateone.pid
1000      5508  0.0  0.0   9392   896 pts/2    S+   13:22   0:00 grep --color=auto python

[liftoff]

Run this:

ps aux | grep gateone.py | awk '{print $2}' | xargs kill

That should do it. If not run it with a -9 at the end:

ps aux | grep gateone.py | awk '{print $2}' | xargs kill -9

[incredibleweirdo]

Okay, somehow there was an upstart conf file for gateone, which was restarting it after every kill. I used sudo service gateone stop to successfully stop it. Ran ./gateone.py --logging=debug with the SSO configured, and attempted to connect. Here's the output:

[I 131112 13:57:02 web:1635] 302 GET / (10.105.12.156) 1.20ms                                                                                                                                 
[W 131112 13:57:02 web:1635] 401 GET /auth?next=%2F (10.105.12.156) 0.71ms                                                                                                                    
[E 131112 13:57:02 sso:174] Kerberos Error: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('', 100004))                                                     
[E 131112 13:57:02 web:1228] Uncaught exception GET /auth?next=%2F (10.105.12.156)                                                                                                            
    HTTPRequest(protocol='https', host='pnrsf-svrxdev:9443', method='GET', uri='/auth?next=%2F', version='HTTP/1.1', remote_ip='10.105.12.156', headers={'Accept-Language': 'en-US,en;q=0.8', 
'Accept-Encoding': 'gzip,deflate,sdch', 'Host': 'pnrsf-svrxdev:9443', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'User-Agent': 'Mozilla/5.0 (Wind
ows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36', 'Connection': 'keep-alive', 'Cookie': 'testing=1', 'Cache-Control': 'max-age=0', 'Authorization
': 'Negotiate 

snipped a bunch of the Negotiate packet here...

    Traceback (most recent call last):                                                                                                                                                        
      File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 1115, in _stack_context_handle_exception                                                                             
        raise_exc_info((type, value, traceback))                                                                                                                                              
      File "/usr/local/lib/python2.7/dist-packages/tornado/web.py", line 1298, in wrapper                                                                                                     
        result = method(self, *args, **kwargs)                                                                                                                                                
      File "/opt/gateone/auth.py", line 656, in get                                                                                                                                           
        self.get_authenticated_user(self._on_auth)                                                                                                                                            
      File "/opt/gateone/sso.py", line 151, in get_authenticated_user                                                                                                                         
        self.auth_negotiate(auth_header, callback)                                                                                                                                            
      File "/opt/gateone/sso.py", line 177, in auth_negotiate                                                                                                                                 
        kerberos.authGSSServerClean(context)                                                                                                                                                  
    UnboundLocalError: local variable 'context' referenced before assignment                                                                                                                  
[E 131112 13:57:02 web:1635] 500 GET /auth?next=%2F (10.105.12.156) 12.65ms                                                                                                                   
[W 131112 13:57:03 web:1635] 404 GET /favicon.ico (10.105.12.156) 27.09ms

[liftoff]

What OS are you running on the client?

[liftoff]

Also, is the clock synchronized on both the client and the server?

[incredibleweirdo]

Windows 7 is the OS. Time is the same on both server on client, though synchronized to the second I can't say for sure.

[liftoff]

Wait: Can you paste your /etc/krb5.conf from the server running Gate One? Did you add the HTTP/yourhost SPN to the host's keytab file? e.g. /etc/krb5.keytab

[liftoff]

Also, can you confirm that you've added your realm to network.negotiate-auth.trusted-uris in Firefox (under about:config)?

[liftoff]

Doh, you're using Chrome. Nevermind. It will use the same SSO config as IE.

[incredibleweirdo]

I did not add the SPN to the keytab, no. I am attempting that via kadmin but I get "Client not found in Kerberos database while getting initial credentials". Which is quite wrong, as I can plainly see the SPN in AD when using the administrative tools in Windows.

Looking in the krb5.conf, I realize there may be a conflict here with another service installed on the server. I have PBIS Open installed to easily bind the Ubuntu server to the domain and allow login with domain accounts. I may have to come back to testing this with another Ubuntu install that does not have PBIS Open on it.

[libdefaults]                                                                                                                                                                                 
  default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC                                                                                                               
  default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC                                                                                                               
  preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC                                                                                                                 
  dns_lookup_kdc = true                                                                                                                                                                       
  pkinit_kdc_hostname = <DNS>                                                                                                                                                                 
  pkinit_anchors = DIR:/var/lib/pbis/trusted_certs                                                                                                                                            
  pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>                                                                                                                                             
  pkinit_eku_checking = kpServerAuth                                                                                                                                                          
  pkinit_win2k_require_binding = false                                                                                                                                                        
  pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so                                                                                                                                       
  default_keytab_name = /etc/krb5.keytab                                                                                                                                                      
  default_realm = MYDOMAIN.PVT                                                                                                                                                                     
[domain_realm]                                                                                                                                                                                
  .mydomain.pvt = MYDOMAIN.PVT                                                                                                                                                                          
  .otheraddomain.pvt = OTHERADDOMAIN.PVT                                                                                                                                                                          
  .anotherdomain.pvt = ANOTHERDOMAIN.PVT                                                                                                                                                                          
  .rks.mydomain.pvt = RKS.MYDOMAIN.PVT                                                                                                                                                                  
[realms]                                                                                                                                                                                      
  MYDOMAIN.PVT = {                                                                                                                                                                                 
   auth_to_local = RULE:[1:$0\$1](^MYDOMAIN\.PVT\\.*)s/^MYDOMAIN\.PVT\\//                                                                                                                               
   auth_to_local = RULE:[1:$0\$1](^OTHERDOMAIN\.PVT\\.*)s/^OTHERDOMAIN\.PVT/OTHERDOMAIN/                                                                                                                              
   auth_to_local = RULE:[1:$0\$1](^ANOTHERDOMAIN\.PVT\\.*)s/^ANOTHERDOMAIN\.PVT/ANOTHERDOMAIN/                                                                                                                              
   auth_to_local = RULE:[1:$0\$1](^RKS\.MYDOMAIN\.PVT\\.*)s/^RKS\.MYDOMAIN\.PVT/RKS/                                                                                                                    
   auth_to_local = DEFAULT                                                                                                                                                                    
  }                                                                                                                                                                                           
[appdefaults]                                                                                                                                                                                 
  pam = {                                                                                                                                                                                     
   mappings = MYDOMAIN\\(.*) $1@MYDOMAIN.PVT                                                                                                                                                            
   forwardable = true                                                                                                                                                                         
   validate = true                                                                                                                                                                            
  }                                                                                                                                                                                           
  httpd = {                                                                                                                                                                                   
   mappings = MYDOMAIN\\(.*) $1@MYDOMAIN.PVT                                                                                                                                                            
   reverse_mappings = (.*)@MYDOMAIN\.PVT MYDOMAIN\$1                                                                                                                                                    
  }

I can probably configure GateOne to use PAM, as any domain logins will then authenticate through PBIS Open, but then I lose single-sign-on.

This may not be a GateOne issue at all. Thanks for the help. If I get the bravery, I may get a new Ubuntu VM set up and manually configure kerberos - not looking forward to that, really :) Then I'll give the SSO another go. For now, anonymous login may have to do.

[incredibleweirdo]

Last note - despite kvno working on the Ubuntu box, using Ktpass on a Windows server to export the keytab for the SPN gives an error about the SPN not being mapped to a user account. So this again may be my issue, as it's mapped to the computer account, not a user account.

I was using Ktpass because apparently kadmin is not compatible with ActiveDirectory, and thus the only way to add the SPN to they keytab is to create the keytab on Windows and merge it on the Ubuntu box. Something that may be helpful in the documentation.

Thanks again.

[liftoff]

You can create a krb5.keytab using the computer object. You just have to know the computer object's password. From that you can create a keytab using ktutil which should work just fine.

I don't have the instructions on me at the moment but I'll see if I can post them tomorrow when I have access to my notes.