Unexpected token type: auth_token_krb when using SSL and Kerberos in a Combination
Affected version
Version: 2.16.1+ds-2 (debian 12)
Platform: Apache
Summary
lemonldap-ng is not performing anymore Kerberos auth. This started at the upgrade from Debian 11 to 12.
Logs
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing authkrb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Kerberos ticket received: (REMOVED_LONG_STRING)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Set KRB5_KTNAME env to FILE:/etc/lemonldap-ng/lemonldap.keytab
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get a new TOKEN session
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c created
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Apply following CORS policy:
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Origin
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Credentials
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] true
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Allow-Methods
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] POST,GET
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Expose-Headers
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] *
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Access-Control-Max-Age
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] 86400
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] VH auth.DOMAIN is HTTPS
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] No cookie found
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Build URL https://auth.DOMAIN/?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Redirect 192.168.2.11 to portal (url was /?url=aHR0cHM6Ly93aWtpLnd3dy5mYXJmaXhlLndpbi8%3D)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User not authenticated, Try in use, cancel redirection
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Start routing default route
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing checkUnauthLogout
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing restoreArgs
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing controlUrl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Required URL (param: urldc | value: https://wiki.DOMAIN/ | alias: https://wiki.DOMAIN)
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] No URL authentication level found...
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing code ref
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Module Lemonldap::NG::Portal::Lib::OneTimeToken loaded
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Get session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c from Portal::Main::Run
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Return TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
**[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Unexpected token type: auth_token_krb
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Expected id: ssl
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] User: USER@DOMAIN**
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "muhSSL" returned 24, trying next
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Processing extractFormInfo
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Trying to load token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [debug] Try to get TOKEN session 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/Apache/Session/Store/File.pm line 98.
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [notice] Bad (or expired) token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [error] Could not fetch user token 9818b834ac4a94eca9ee5595c72676c45e0c6b5432869e3bab6ea2de4eca058c
[Tue Jun 13 10:05:20 2023] [LLNG:101887] [info] Scheme "KRB" returned 24, trying next
I've added in the log program two lines advised by Maxime on the mailing list :
Lemonldap/NG/Portal/Auth/_Ajax.pm l.85:
# Original line
$self->logger->error( "Unexpected token type: " . $token->{type} );
# extra information
$self->logger->debug( "Expected id: ". $self->auth_id );
$self->logger->debug( "User: " . $token->{user} );
Thank you for your attention !