Bug 1118751

Summary: Endless loop with GSSAPI authentication to proxy
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: kdudka, paul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: curl-7.32.0-12.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-03 01:57:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description David Woodhouse 2014-07-11 13:03:33 UTC
Sometimes due to reverse DNS issues, we attempt to obtain a Kerberos ticket for the *wrong* host. When we present the ticket, it obviously doesn't work.

If the server is a proxy and returns an empty 'Proxy-Authenticate: Negotiate' header indicating that it didn't work and we should try something else... we just try again. Over and over and over again.

Actually, this is just the tip of the iceberg when it comes to curl's brokenness with GSSAPI. Fixes at http://git.infradead.org/users/dwmw2/curl.git (posted to the list today).

Comment 1 Kamil Dudka 2014-07-14 12:26:15 UTC
Thanks for the pointer and the patches.  I would prefer to wait till they are merged upstream before submitting updates for stable releases though.

Comment 2 David Woodhouse 2014-07-16 15:31:06 UTC
That makes perfect sense. The patches are now merged upstream.

Comment 3 Kamil Dudka 2014-07-16 17:00:03 UTC
They are included in curl-7.37.1-1.fc22 for now, will consider backport later...

Comment 4 Kamil Dudka 2014-07-17 12:47:11 UTC
There is a possible regression of bug #1093348, which is being discussed upstream:

http://curl.haxx.se/mail/lib-2014-07/0207.html

Comment 5 David Woodhouse 2014-07-17 13:14:13 UTC
Yeah, I wish I could remember which server I was using when I saw bug 1093348 :)

Comment 6 David Woodhouse 2014-07-18 16:07:23 UTC
I still can't find the original server but I've set up something to emulate it and retested with the latest curl code. It still behaves correctly... or as well as it did before, at least :)

It's still using the *first* Negotiate response, where using the non-empty one might make more sense. But that's not a regression.

Comment 7 Kamil Dudka 2014-07-21 11:26:42 UTC
Thanks for checking it!  Do you want to backport some additional patches on top of the original patchset then?

http://pkgs.fedoraproject.org/cgit/curl.git/tree/0001-curl-7.37.1-gssapi.patch?id=8490cd97

Comment 8 David Woodhouse 2014-07-21 14:23:31 UTC
No need for anything more at the moment; I think that patch set captures everything that's important. Michael O is working on some other improvements but they are mostly cosmetic.

I've just done a test build of your 7.37.1-1.fc22 package locally and it seems to be working correctly for me — Negotiate auth is sanely falling back to GSS-NTLMSSP etc.

Thanks.

Comment 9 Fedora Update System 2014-07-30 13:04:55 UTC
curl-7.32.0-12.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/curl-7.32.0-12.fc20

Comment 10 Fedora Update System 2014-08-01 06:04:46 UTC
Package curl-7.32.0-12.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing curl-7.32.0-12.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9070/curl-7.32.0-12.fc20
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-08-03 01:57:36 UTC
curl-7.32.0-12.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.