Bug 1087068

Summary: 0006526: GSS api stopped working properly after krb5 update
Product: Red Hat Enterprise Linux 6 Reporter: vaclav
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6CC: dpal, james.hogarth, jplans, nalin, pkis, rmainz, ssorce
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.10.3-23.el6 Doc Type: Bug Fix
Doc Text:
Cause: Due to a regression, when using the GSSAPI SPNEGO mechanism, acceptor (server) applications which knew of multiple OIDs by which a given underlying mechanism could be selected would not always respond to initiators (clients) using the same mechanism OIDs which the initiator had specified. Consequence: GSSAPI clients attempting to authenticate to such servers could erroneously fail to authenticate. Fix: The GSSAPI library has been patched to once again use the OID used by the client in its request when generating replies to be sent to the client. Result: GSSAPI clients attempting to authenticate to such servers will no longer fail to authenticate due to this bug.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 08:10:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description vaclav 2014-04-13 20:06:47 UTC 
Description of problem:

GSS-TSIG stopped working (it worked in the past) with MS Active Directory so Windows can not register/update DNS records. This bug is very sneaky - no log in the logfile, after debugging enabled: "failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Success."

This could be GSSAPI library bug or bind bug (or both), because it works with ISC SPNEGO (after recompiling bind without "--disable-isc-spnego") but not with GSSAPI SPNEGO.

WORKAROUND: Downgrading of kerberos packages to krb5-devel-1.9-33.el6_3.3.i686.rpm krb5-libs-1.9-33.el6_3.3.i686.rpm krb5-workstation-1.9-33.el6_3.3.i686.rpm

This is an old bug, so downgrading of krb5 could cause some security issues.


How reproducible:

Every signed Active Directory dns update using gssapi.


Affected OS versions:

All versions of krb5 > 1.9-33.el6_3.3 in CentOS (see https://bugs.centos.org/view.php?id=6526). I am not using it in rhel, but it seems to be an rhel issue.
Comment 2 Tomáš Hozza 2014-04-14 06:36:03 UTC 
Hi.

AFAIK this is not a bug in BIND's source. The "--disable-isc-spnego" is used
to NOT use ISC own SPNEGO implementation, but to rather use the GSSAPI
implementation. This has to be fixed in the krb5.

The fix should be this:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7858

I'm moving this to krb5 component and CC-ing Simo, as he initiated a discussion
about this recently.
Comment 3 Simo Sorce 2014-04-14 16:06:43 UTC 
This bug has recently been fixed in Fedora, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1066000

you may want to clone the bug for RHEL ?
Comment 4 vaclav 2014-04-15 03:36:05 UTC 
This Fedora bug seems to be the same. Will be those fixed packages backported to the rhel?
Comment 5 Simo Sorce 2014-04-15 03:58:59 UTC 
Nalin,
can we backport to RHEL 6.6 ?
Comment 6 Nalin Dahyabhai 2014-04-15 19:15:09 UTC 
I think the patch could be added, yes.
Comment 7 Simo Sorce 2014-04-16 17:38:19 UTC 
Can we get devel_ack then ?
Comment 11 errata-xmlrpc 2014-10-14 08:10:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1389.html