Issue with Amazon Linux 2023

[Lud3rik]

Hello,

I recently migrated from mod_auth_kerb to mod_auth_gssapi.
Indeed, AWS recently decided to remove mod_auth_gssapi from their package manager for Amazon Linux 2023. So I decided to build the module myself to implement it with the master branch from the sources here.

After 3 days of debuging, my SSO was still broken. I got the same message NO AUTH DATA Client did not send any authentication headers...

So I decided to try another tag like v1.5.0 for my SSO, and then the issue was solved.

So here the information about the image I used:
al2023-ami-2023.0.20230517.1-kernel-6.1-arm64
[ec2-user@instance]$ cat /etc/amazon-linux-release
Amazon Linux release 2023 (Amazon Linux)
[ec2-user@instance]$ uname -r
6.1.27-43.48.amzn2023.aarch64
[ec2-user@instance]$ httpd -V
Server version: Apache/2.4.56 (Amazon Linux)
Server built: Mar 15 2023 00:00:00
Server's Module Magic Number: 20120211:126
Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.40 2022-04-14
Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 10.40 2022-04-14
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="run/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"

I think this issue deserve to be reported

[simo5]

Do you have any debug log from the failures?

[Lud3rik]

I just made a fresh compilation with origin/master to reproduce the issue. I don't see any errors, even with the
GssapiPublishErrors On

The only logs I see are info:

[Wed Jun 07 17:15:19.580356 2023] [auth_gssapi:info] [pid 199524:tid 199586] [client 10.xx.xx.xx:15524] NO AUTH DATA Client did not send any authentication headers
[Wed Jun 07 17:17:48.262748 2023] [auth_gssapi:info] [pid 200218:tid 200345] [client 10.xx.xx.xx:29362] NO AUTH DATA Client did not send any authentication headers
[Wed Jun 07 17:17:49.934162 2023] [auth_gssapi:info] [pid 200218:tid 200348] [client 10.xx.xx.xx:29362] NO AUTH DATA Client did not send any authentication headers

Tested with the below vhost

<VirtualHost *:80>

    ServerName app.domain.com
    ServerAlias app.domain-priv.com
    ServerAdmin webmaster@localhost


    ErrorLog /var/log/httpd/logs/app/error.log
    CustomLog /etc/httpd/logs/app/access.log combined
    LogLevel debug

    RewriteEngine On
    RewriteRule "^/$" /somewhere/ [R]
    ProxyPass /somewhere/ ajp://localhost:8009/somewhere/
    ProxyPassReverse /somewhere/ ajp://localhost:8009/somewhere/

        <Location /somewhere/home.fl>
            AuthType GSSAPI
            AuthName "SSO APP"

            BrowserMatch Windows gssapi-no-negotiate
            Require valid-user

            GssapiCredStore keytab:/etc/httpd/conf/httpd-app.keytab
            GssapiNegotiateOnce On
            GSSapiImpersonate On
            GssapiSessionKey file:/var/cache/httpd/session.key
            GssapiUseSessions On
            GssapiPublishErrors On

            Session On
            SessionCookieName gssapi_session path=/private;httponly;secure;

        </Location>

</VirtualHost>

What I see in my browser

Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

Works fin with v1.5.0 but not with origin/master

[Lud3rik]

Any news about this strange behaviour?