Bug 2151513

This issue is affecting the tests migration to TMT. In the context of a side-tag, all the subpackages are installed simultaneously. However some packages that are typically part of the same side-tag (like FreeIPA) depend on sssd-client, which is conflicting with krb5-tests.

As a consequence, upstream tests have to be patched in order to work with the sssd_krb5_locator_plugin.so plugin provided by sssd-client.

+++ This bug was initially created as a clone of Bug #1993463 +++

Description of problem:
The upstream tests t_discover_uri.py started to fail with krb5-1.19.1-11 on the new compose RHEL-9.0.0-20210810.1.

Version-Release number of selected component (if applicable):
RHEL-9.0.0-20210810.1
krb5-1.19.1-11.el9
resolv_wrapper-1.1.7-1.fc34

How reproducible:


Steps to Reproduce:
1.rpmbuild -ba ~/rpmbuild/SPECS/krb5.spec
2.make runenv.py -C /root/rpmbuild/BUILD/krb5-1.19.1/src
3.PYTHONPATH=/root/rpmbuild/BUILD/krb5-1.19.1/src/util /usr/bin/python3 ./t_discover_uri.py -v

Actual results:
# PYTHONPATH=/root/rpmbuild/BUILD/krb5-1.19.1/src/util /usr/bin/python3 ./t_discover_uri.py -v
*** [1] Executing: ./t_locate_kdc TEST
in module_locate_server
ran off end of plugin list
looking in krb5.conf for realm TEST entry kdc; ports 88,0
config file lookup failed: Profile relation not found
t_locate_kdc: Cannot find KDC for requested realm - exiting
*** [1] Completed with return code 1
*** Failure: ./t_locate_kdc failed with code 1.
*** Last command (#1): ./t_locate_kdc TEST
*** Output of last command:
in module_locate_server
ran off end of plugin list
looking in krb5.conf for realm TEST entry kdc; ports 88,0
config file lookup failed: Profile relation not found
t_locate_kdc: Cannot find KDC for requested realm - exiting
Use --debug=NUM to run a command under a debugger.  Use
--stop-after=NUM to stop after a daemon is started in order to
attach to it with a debugger.  Use --help to see other
options.


Expected results:
t_discover_uri.py should pass.

Additional info:

--- Additional comment from Robbie Harwood on 2021-08-18 14:25:34 UTC ---

upstream trunk is broken as well, even on rawhide.

--- Additional comment from Robbie Harwood on 2021-08-18 15:47:52 UTC ---

This is a bit awkward since resolv_wrapper isn't packaged for RHEL, so rather than reassign I'm going to mark this as blocked on the Fedora ticket.

--- Additional comment from Julien Rische on 2022-05-03 16:00:38 UTC ---

I tried to reproduce this error on RHEL-9.1.0-20220424.2 with:
* krb5-1.19.1-18
* resolv_wrapper-1.1.7-4.fc36

# PYTHONPATH=/root/rpmbuild/BUILD/krb5-1.19.1/src/util /usr/bin/python3 ./t_discover_uri.py -v
*** [1] Executing: ./t_locate_kdc TEST
in module_locate_server
element 0 is 0x7fbd56369cc0
plugin doesn't handle this realm (KRB5_PLUGIN_NO_HANDLE)
ran off end of plugin list
looking in krb5.conf for realm TEST entry kdc; ports 88,0
config file lookup failed: Profile relation not found
7 servers:
0: h:kdc1 t:https p:443 m:0 P:
1: h:kdc2 t:https p:443 m:1 P:path
2: h:kdc3 t:https p:300 m:0 P:path
3: h:KDC4 t:udp p:88 m:1 P:
4: h:kdc5 t:tcp p:500 m:0 P:
5: h:192.168.1.6 t:tcp p:88 m:0 P:
6: h:dead:beef:cafe:7 t:tcp p:700 m:0 P:
*** [1] Completed with return code 0
*** Failure: URI answers do not match
*** Last command (#1): ./t_locate_kdc TEST
*** Output of last command:
in module_locate_server
element 0 is 0x7fbd56369cc0
plugin doesn't handle this realm (KRB5_PLUGIN_NO_HANDLE)
ran off end of plugin list
looking in krb5.conf for realm TEST entry kdc; ports 88,0
config file lookup failed: Profile relation not found
7 servers:
0: h:kdc1 t:https p:443 m:0 P:
1: h:kdc2 t:https p:443 m:1 P:path
2: h:kdc3 t:https p:300 m:0 P:path
3: h:KDC4 t:udp p:88 m:1 P:
4: h:kdc5 t:tcp p:500 m:0 P:
5: h:192.168.1.6 t:tcp p:88 m:0 P:
6: h:dead:beef:cafe:7 t:tcp p:700 m:0 P:
Use --debug=NUM to run a command under a debugger.  Use
--stop-after=NUM to stop after a daemon is started in order to
attach to it with a debugger.  Use --help to see other
options.

Filip, do you think this error is still related to resolv_wrapper?

--- Additional comment from Julien Rische on 2022-05-13 16:42:12 UTC ---

Looking at this code from t_discover_uri.py[1], we see the error is caused by a mismatch between the expected and actual outputs:

===
j = 0
for i in range(4, 12):
    if l[i].strip() != expected[j]:
        fail('URI answers do not match')
    j += 1
===

Lines are compared one buy one, but skipping the 4 first lines are skipped. This is because these lines are log messages. However, we have 6 lines:

===
in module_locate_server
element 0 is 0x7fbd56369cc0
plugin doesn't handle this realm (KRB5_PLUGIN_NO_HANDLE)
ran off end of plugin list
looking in krb5.conf for realm TEST entry kdc; ports 88,0
config file lookup failed: Profile relation not found
===

Actually, this is because the default "service_locator" plugin is not the only one being, as it should be. The SSSD one is tried first:

/usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so provided by sssd-client

However, this plugin ignores some parts of the custom environment that is being setup for this test, including the TEST realm which is unknown to SSSD. Hence the get_krb5info() call[2] fails for this realm, resulting in 2 extra lines of error logs.

After uninstalling sssd-client, we obtain the 4 expected heading log lines, and the test succeed:

===
in module_locate_server
ran off end of plugin list
looking in krb5.conf for realm TEST entry kdc; ports 88,0
config file lookup failed: Profile relation not found
===

I think we are 2 options here:
* Modify t_discover_uri.py to start comparison at the 7th line
* Make sure sssd-client is not installed on the test host


[1] https://github.com/krb5/krb5/blob/krb5-1.19.1-final/src/lib/krb5/os/t_discover_uri.py
[2] https://github.com/SSSD/sssd/blob/2.6.2/src/krb5_plugin/sssd_krb5_locator_plugin.c#L493