Bug 693340

Summary: SASL Server start fails with GSSAPI mechanism
Product: Red Hat Enterprise Linux 5 Reporter: Remi Ferrand <remi.ferrand>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: urgent    
Version: 5.5.zCC: cww, dpal, jplans, jwest, prc
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: krb5-1.6.1-47.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-07 14:53:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Remi Ferrand 2011-04-04 11:04:37 UTC 
Description of problem:
While using GSSAPI mechanism, the server_start() method ALWAYS fails when cyrus-sasl uses GSSAPI with krb5-workstation v1.6.1 36.el5_5.6.
Installing krb5-workstation v1.8.2 3.7 (RHEL 6 version) solves the problem.

The problem is in the linkage between libgssapi of cyrus-sasl and libgssapi of krb5.

This problem doesn't exist on RHEL 4 nor RHEL 6, RHEL 5 is the only version impacted.


Version-Release number of selected component (if applicable):
cyrus-sasl 2.1.22 5.el5_4.3 (both i386 and x86_64)
krb5-workstation 1.6.1 36.el5_5.6

How reproducible:
Just use the sasl2-sample-client and sasl2-sample-server to discover the bug: no GSSAPI authentication is possible on a sasl2-sample-server running under RHEL 5.

Steps to Reproduce:
1. Install a Kerberos keytab for principal host/test.redhat.com for instance, and create a client principal test.
2. On server, launch "sasl2-sample-server -p 12345 -s host"
3. On client, identify youself to Kerberos server with kinit test
4. On client, launch "sasl2-sample-client -p 12345 -s host -m GSSAPI test.redhat.com"
5. Enter "test" when client requests an authorization id.
  
Actual results:
Authentication failed. No GSSAPI authentication is possible with this version of krb5-workstation.

Expected results:
Successful Authentication.

Additional info:
This bug will also be submitted under cyrus-sasl software.

Cheers

R.
Comment 1 Nalin Dahyabhai 2011-04-04 15:54:24 UTC 
This is the same as bug #498554, which is fixed in 5.6.  I expect that setting an explicit mapping from the server's host name to its realm in the [domain_realm] section of the server's /etc/krb5.conf would work around it.
Comment 5 Remi Ferrand 2011-04-07 08:04:18 UTC 
You were right... just adding this section fixes the problem.
In Heimdal kerberos, the default_realm is used when kerberos libraries doesn't know which REALM they should use, I guessed MIT had the same behavior.

Thanks a lot :)

Cheers

R.
Comment 6 Nalin Dahyabhai 2011-04-07 14:53:01 UTC 
No worries.  Closing with resolution ERRATA.