Bug 834697
Summary: | Error in sasl_client_start when installing packages to subscribed client via web ui | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Og Maciel <omaciel> | ||||
Component: | Content Management | Assignee: | Ivan Necas <inecas> | ||||
Status: | CLOSED ERRATA | QA Contact: | Og Maciel <omaciel> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.0.1 | CC: | asettle, cpelland, dmacpher, inecas, jortel, jrist, snansi | ||||
Target Milestone: | Unspecified | Keywords: | Regression, Triaged, ZStream | ||||
Target Release: | Unused | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
Installing packages to subscribed clients via the UI failed due to authentication failure in SASL authentication. This regression was introduced due to a code change that turned on authentication by default. This fix disables authentication using the following in /etc/qpidd.conf:
auth=no
Ensure to restart the following services if manually disabling authentication:
System Engine
# service qpidd restart
# service pulp-server restart
Client:
# service goferd restart
|
Story Points: | --- | ||||
Clone Of: | |||||||
: | 835971 (view as bug list) | Environment: | |||||
Last Closed: | 2012-12-04 19:46:46 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 835971 | ||||||
Attachments: |
|
Description
Og Maciel
2012-06-22 19:55:34 UTC
Martin Bacovsky sent me this comment: Just for tracking: addition of mech_list: ANONYMOUS in /etc/sasl2/qpidd.conf made the trick after pulp-server restart. If anyone has an idea why qpidd chose GSSAPI as a default auth method, please, let me know. Please attach the qpidd.conf. Created attachment 594232 [details]
qpidd.conf
fwiw, this file has been modified from its original state. Here's what a diff would look like:
--- Downloads/qpidd.conf 2012-06-25 12:24:51.296495028 -0400
+++ Downloads/qpidd2.conf 2012-06-25 12:25:17.233414346 -0400
@@ -20,11 +20,10 @@
# (Note: no spaces on either side of '='). Using default settings:
# "qpidd --help" or "man qpidd" for more details.
cluster-mechanism=ANONYMOUS
-log-enable=debug+
+log-enable=error+
require-encryption=yes
ssl-require-client-authentication=yes
-auth=yes
ssl-port=5674
ssl-cert-db=/etc/pki/katello/nssdb
ssl-cert-password-file=/etc/katello/nss_db_password-file
auth=no must be explicitly set because the default when not specified is (1). This seems to be a regression in the installer. See: https://bugzilla.redhat.com/show_bug.cgi?id=743327. Reproduced after updating qpid-cpp-server-0.12-6.el6.x86_64 to qpid-cpp-server-0.14-16.el6.x86_64 - both SASL and Timeout error. I'm trying to find out what's going on there now The problem was introduces probably by this [1] or this [2] change in qpid (or both of them). They either turn the authentication on by default, or changed the priority of different auth methods so that that one working before was not used by default now. Setting auth=no seems to be the right choice for use, since it worked for RHUI as well and we don't use the qpid auth features. [1] - https://issues.apache.org/jira/browse/QPID-3337 [2] - https://issues.apache.org/jira/browse/QPID-3246 The problem with time-out occurred when I've restarted qpid server, but haven't restartd goferd on the client machine and therefore the connection wasn't established. commit 81a551dd62323b5494401b8add3e96646e1f7f87 Author: Ivan Necas <inecas> Date: Wed Jun 27 15:30:44 2012 +0200 834697 - explicitly disable qpid authentication For the servers already installed, adding auth=no to /etc/qpidd.conf, restarting pulp-server service on server and goferd service on the client fixes the issue. To be clear: CFSE: * Add auth=no to /etc/qpidd.conf * service qpidd restart * service pulp-server restart Client: * service goferd restart This works like a charm! Verified using: * candlepin-0.7.8-1.el6cf.noarch * candlepin-selinux-0.7.8-1.el6cf.noarch * candlepin-tomcat6-0.7.8-1.el6cf.noarch * katello-1.1.12-9.el6cf.noarch * katello-all-1.1.12-9.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-5.el6cf.noarch * katello-cli-common-1.1.8-5.el6cf.noarch * katello-common-1.1.12-9.el6cf.noarch * katello-configure-1.1.9-4.el6cf.noarch * katello-glue-candlepin-1.1.12-9.el6cf.noarch * katello-glue-pulp-1.1.12-9.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html getting rid of 6.0.0 version since that doesn't exist |