Bug 727863

Summary: Add support for new xmlrpc-c API to do GSSAPI delegation
Product: Red Hat Enterprise Linux 6 Reporter: Rob Crittenden <rcritten>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.2CC: dpal, jgalipea, jwest, kchamart
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.45-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 727864 (view as bug list) Environment:
Last Closed: 2011-12-06 17:37:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 719945    
Bug Blocks: 727864, 729804    

Description Rob Crittenden 2011-08-03 13:02:16 UTC 
Description of problem:

libcurl upstream dropped support for delegating Kerberos tickets. This was
applied to EL6 in bug https://bugzilla.redhat.com/show_bug.cgi?id=711454

certmonger needs to be able to delegate tickets via XML-RPC to authenticate with IPA using xmlrpc-c.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719938 was created to add a new API to libcurl to do delegation.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719945 was created to add a new api to xmlrpc-c to utilize this delegation feature.

certmonger needs to be updated to use the new xmlrpc-c API.

Version-Release number of selected component (if applicable):

certmonger-0.42-1
Comment 2 Nalin Dahyabhai 2011-08-05 21:53:21 UTC 
It looks like the currently-proposed patch requires us to set "gss_delegate" to 1 in the right xmlrpc_curl_xportparms structure that we pass to xmlrpc_client_create().  We'll need to have the patch added to the xmlrpc-c package (preferably after it's integrated into upstream's tree) and to have that updated version of xmlrpc-c tagged into the buildroot before we can build a fixed certmonger.

I can make the code changes in certmonger before that, but they can't be tested properly without an xmlrpc-c.  Making the xmlrpc-c bug block this one.
Comment 5 Jenny Severance 2011-09-21 18:46:17 UTC 
verified:

ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w Secret123 -U
--server=ipaqavme.testrelm
Discovery was successful!
Hostname: hp-dl380g6-01.testrelm
Realm: TESTRELM
DNS Domain: testrelm
IPA Server: ipaqavme.testrelm
BaseDN: dc=testrelm



Enrolled in IPA realm TESTRELM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM
Warning: Hostname (hp-dl380g6-01.testrelm) not found in DNS
DNS server record set to: hp-dl380g6-01.testrelm -> 10.16.65.39
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
[root@hp-dl380g6-01 ~]# kinit admin
Password for admin@TESTRELM: 
[root@hp-dl380g6-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM

Valid starting     Expires            Service principal
09/21/11 11:38:40  09/22/11 11:38:36  krbtgt/TESTRELM@TESTRELM


versions:

curl-7.19.7-26.el6_1.2.x86_64
xmlrpc-c-1.16.24-1200.1840.el6_1.4.x86_64
certmonger-0.46-1.el6.x86_64
ipa-client-2.1.1-3.el6.x86_64
Comment 6 errata-xmlrpc 2011-12-06 17:37:50 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1708.html