Bug 2121952

Summary: FreeIPA server broken because httpd crashes in mod_auth_gssapi
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: mod_auth_gssapiAssignee: Simo Sorce <ssorce>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: ftrivino, robatino, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-29 10:51:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
backtrace of the crash, crashing thread is 1 none

Description Adam Williamson 2022-08-27 18:34:37 UTC 
As of today's Rawhide compose, FreeIPA is broken because httpd is crashing in mod_auth_gssapi. Server deployment succeeds, but client enrolment of the server itself (which runs automatically right after server deployment) fails, and presumably most other practical use of the server would fail similarly.

I'm attaching a backtrace of the crash. The crashing thread is 1, it crashed in `mag_verify_config` in `mod_auth_gssapi.c`. mod_auth_gssapi was updated yesterday, so it's very likely the culprit (it's not on openQA's testing list so I don't have a test of that update specifically to prove it, but it looks very likely).
Comment 1 Adam Williamson 2022-08-27 18:35:41 UTC 
Created attachment 1908059 [details]
backtrace of the crash, crashing thread is 1
Comment 2 Adam Williamson 2022-08-27 18:39:09 UTC 
Looks like this was caused by https://github.com/gssapi/mod_auth_gssapi/pull/232 . Since that seems to be just adding a warning, as a quick fix we may be able to simply back it out.
Comment 3 Adam Williamson 2022-08-27 21:18:21 UTC 
OK, my workaround worked. Leaving the bug open as the underlying bug is still there - whatever's wrong with the check needs fixing - but dropping the blocker metadata (actually the build wasn't run for F37 yet anyway so we didn't need it).
Comment 4 Simo Sorce 2022-08-29 00:08:17 UTC 
PR to fix the issue here: https://github.com/gssapi/mod_auth_gssapi/pull/272
Comment 5 Simo Sorce 2022-08-29 10:50:42 UTC 
Build:
https://koji.fedoraproject.org/koji/taskinfo?taskID=91397114
Comment 6 Adam Williamson 2022-08-29 17:37:35 UTC 
Fix confirmed in openQA testing, thanks:
https://openqa.stg.fedoraproject.org/tests/overview?version=38&distri=fedora&groupid=2&build=Update-FEDORA-2022-42e30a6c46