Bug 1399479

Summary: [SSO][Regression] SSO failure when LoginOnBehalf is called
Product: [oVirt] ovirt-engine Reporter: Gonza <grafuls>
Component: AAAAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: amarchuk, bugs, mperina
Target Milestone: ovirt-4.1.0-alphaFlags: rule-engine: ovirt-4.1+
rule-engine: blocker+
Target Release: 4.1.0.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-15 15:07:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
relevant logs none

Description Gonza 2016-11-29 06:57:32 UTC 
Created attachment 1225651 [details]
relevant logs

Description of problem:
Regression introduced by [1]
Introduction of custom serializers for Map and List like collections has raised a conflict with serialization of ExtMap.
[1] https://gerrit.ovirt.org/#/c/64061/

Version-Release number of selected component (if applicable):
ovirt-engine-4.1.0-0.0.master.20161125091311.gitd47134a.el7.centos.noarch

How reproducible:
100%

Steps to Reproduce:
1. Configure SSO
2. Curl to engine api

Actual results:
401 unauthorized

Expected results:
200 OK

Additional info:
Relevant logs attached.
Comment 1 Gonza 2017-02-03 15:05:20 UTC 
Verified with:
ovirt-engine-4.1.0-0.2.master.20161213122836.git2cd5587.el7.centos.noarch
ovirt-engine-extension-aaa-ldap-1.3.1-0.0.master.20170115190508.gitda48d9d.el7.noarch

# curl -v -k --negotiate -u : https://example.com/ovirt-engine/api
* About to connect() to example.com port 443 (#0)
*   Trying {IP}...
* Connected to example.com ({IP}) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=example.com,O=rhev.lab.eng.brq.redhat.com,C=US
* 	start date: Nov 28 08:51:11 2016 GMT
* 	expire date: Nov 03 08:51:11 2021 GMT
* 	common name: example.com
* 	issuer: CN=example.com.41406,O=rhev.lab.eng.brq.redhat.com,C=US
> GET /ovirt-engine/api HTTP/1.1
> User-Agent: curl/7.29.0
> Host: example.com
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Fri, 03 Feb 2017 15:00:30 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< WWW-Authenticate: Negotiate
< Cache-Control: no-cache
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< Content-Length: 163
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #0 to host example.com left intact
* Issue another request to this URL: 'https://example.com/ovirt-engine/api'
* Found bundle for host example.com: 0x11eef20
* Re-using existing connection! (#0) with host example.com
* Connected to example.com ({IP}) port 443 (#0)
* Server auth using GSS-Negotiate with user ''
> GET /ovirt-engine/api HTTP/1.1
> Authorization: Negotiate ...
> User-Agent: curl/7.29.0
> Host: example.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Fri, 03 Feb 2017 15:00:31 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_auth_gssapi/1.4.0
< WWW-Authenticate: Negotiate ...
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< Content-Type: application/xml
< Content-Length: 4120
< Correlation-Id: 7ebfaa40-89d8-45e3-a2ab-856b17e7d93b
< Link: ...
< Vary: Accept-Encoding
< Cache-Control: no-cache
< Set-Cookie: ovirt_gssapi_session=;Max-Age=0;path=/private;httponly;secure;
< 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<api>
...
</api>
* Closing connection 0