Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Upgrade oddity with proxy tokens

Dameon Wagner dameon.wagner at it.ox.ac.uk
Tue Oct 30 05:35:42 PDT 2012


Hello All,

We're in the process of upgrading a pool of Debian WebKDC nodes from
"3.6.0-1" to the current squeeze-backport version "4.1.0-1~bpo60+1".
I was hoping to upgrade each WebKDC in turn, and have them all behave
nicely in the process (and testing indicated that this would be
possible).

However, with 1 node upgraded and added to the round-robin DNS I'm
seeing an issue that indicates that anyone trying to authenticate to a
WAS for the first time, via the 4.1 node, gets prompted for
credentials, even if moments before they successfully authenticated to
one of the other (3.6) WebKDCs (so it's not acting like Single Sign-on
anymore).

Looking at the apache error log on the upgraded node I see entries
like the following (all on one line and mildly redacted):

#---8<-----------------------------------------------------------------
[notice] mod_webkdc: event=requestToken from=127.0.0.1
  clientIp=XX.XX.XX.XX server=krb5:webauth/was-fqdn.ox.ac.uk at OX.AC.UK
  url=https://was-url-for-redirect user=<unknown>
  rtt=id sa=webkdc lec=15 lem="need a proxy token"
#---8<-----------------------------------------------------------------

usually followed shortly by a similar entry that includes the real
username and will pass them through to the WAS as expected.

#---8<-----------------------------------------------------------------
[notice] mod_webkdc: event=requestToken from=127.0.0.1
  clientIp=XX.XX.XX.XX server=krb5:webauth/was-fqdn.ox.ac.uk at OX.AC.UK
  url=https://was-url-for-redirect user=real-username rtt=id sa=webkdc
  login=password ifactors=p sfactors=p lec=0
#---8<-----------------------------------------------------------------

Has anyone else seen similar issues occurring while upgrading pools of
WebKDCs?

I was hoping to (relatively) seamlessly introduce upgraded nodes
during regular maintenance windows but, at the moment, I don't know if
the issue I'm seeing is due to a mix of WebKDC versions not playing
nicely together, or whether there's something else (possibly in our
custom login CGIs) that's causing a previous SSO session to not be
honoured per-WAS, in which case I'd like to find a solution before all
our WebKDCs start to exhibit the same behaviour after being upgraded.

Thanks in advance for any pointers, hints, and tips.

Dameon Wagner

-- 
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dameon Wagner, Systems Development and Support Team
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><



More information about the webauth-info mailing list