Bug 834697
| Summary: | Error in sasl_client_start when installing packages to subscribed client via web ui | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Og Maciel <omaciel> | ||||
| Component: | Content Management | Assignee: | Ivan Necas <inecas> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Og Maciel <omaciel> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.0.1 | CC: | asettle, cpelland, dmacpher, inecas, jortel, jrist, snansi | ||||
| Target Milestone: | Unspecified | Keywords: | Regression, Triaged, ZStream | ||||
| Target Release: | Unused | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: |
Installing packages to subscribed clients via the UI failed due to authentication failure in SASL authentication. This regression was introduced due to a code change that turned on authentication by default. This fix disables authentication using the following in /etc/qpidd.conf:
auth=no
Ensure to restart the following services if manually disabling authentication:
System Engine
# service qpidd restart
# service pulp-server restart
Client:
# service goferd restart
|
Story Points: | --- | ||||
| Clone Of: | |||||||
| : | 835971 (view as bug list) | Environment: | |||||
| Last Closed: | 2012-12-04 19:46:46 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 835971 | ||||||
| Attachments: |
|
||||||
Martin Bacovsky sent me this comment:
Just for tracking:
addition of
mech_list: ANONYMOUS
in /etc/sasl2/qpidd.conf made the trick after pulp-server restart. If
anyone has an idea why qpidd chose GSSAPI as a default auth method,
please, let me know.
Please attach the qpidd.conf. Created attachment 594232 [details]
qpidd.conf
fwiw, this file has been modified from its original state. Here's what a diff would look like:
--- Downloads/qpidd.conf 2012-06-25 12:24:51.296495028 -0400
+++ Downloads/qpidd2.conf 2012-06-25 12:25:17.233414346 -0400
@@ -20,11 +20,10 @@
# (Note: no spaces on either side of '='). Using default settings:
# "qpidd --help" or "man qpidd" for more details.
cluster-mechanism=ANONYMOUS
-log-enable=debug+
+log-enable=error+
require-encryption=yes
ssl-require-client-authentication=yes
-auth=yes
ssl-port=5674
ssl-cert-db=/etc/pki/katello/nssdb
ssl-cert-password-file=/etc/katello/nss_db_password-file
auth=no must be explicitly set because the default when not specified is (1). This seems to be a regression in the installer. See: https://bugzilla.redhat.com/show_bug.cgi?id=743327. Reproduced after updating qpid-cpp-server-0.12-6.el6.x86_64 to qpid-cpp-server-0.14-16.el6.x86_64 - both SASL and Timeout error. I'm trying to find out what's going on there now The problem was introduces probably by this [1] or this [2] change in qpid (or both of them). They either turn the authentication on by default, or changed the priority of different auth methods so that that one working before was not used by default now. Setting auth=no seems to be the right choice for use, since it worked for RHUI as well and we don't use the qpid auth features. [1] - https://issues.apache.org/jira/browse/QPID-3337 [2] - https://issues.apache.org/jira/browse/QPID-3246 The problem with time-out occurred when I've restarted qpid server, but haven't restartd goferd on the client machine and therefore the connection wasn't established. commit 81a551dd62323b5494401b8add3e96646e1f7f87
Author: Ivan Necas <inecas>
Date: Wed Jun 27 15:30:44 2012 +0200
834697 - explicitly disable qpid authentication
For the servers already installed, adding auth=no to /etc/qpidd.conf, restarting pulp-server service on server and goferd service on the client fixes the issue. To be clear: CFSE: * Add auth=no to /etc/qpidd.conf * service qpidd restart * service pulp-server restart Client: * service goferd restart This works like a charm! Verified using: * candlepin-0.7.8-1.el6cf.noarch * candlepin-selinux-0.7.8-1.el6cf.noarch * candlepin-tomcat6-0.7.8-1.el6cf.noarch * katello-1.1.12-9.el6cf.noarch * katello-all-1.1.12-9.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-5.el6cf.noarch * katello-cli-common-1.1.8-5.el6cf.noarch * katello-common-1.1.12-9.el6cf.noarch * katello-configure-1.1.9-4.el6cf.noarch * katello-glue-candlepin-1.1.12-9.el6cf.noarch * katello-glue-pulp-1.1.12-9.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html getting rid of 6.0.0 version since that doesn't exist |
Description of problem: Trying to install packages to subscribed clients via the web ui fail and error shows up in pulp. Version-Release number of selected component (if applicable): * candlepin-0.6.5-1.el6_2.noarch * candlepin-tomcat6-0.6.5-1.el6_2.noarch * katello-0.1.317-1.el6_2.noarch * katello-all-0.1.317-1.el6_2.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.0.7-1.el6_3.noarch * katello-cli-0.1.111-1.el6_2.noarch * katello-cli-common-0.1.111-1.el6_2.noarch * katello-common-0.1.317-1.el6_2.noarch * katello-configure-0.1.110-1.el6_3.noarch * katello-glue-candlepin-0.1.317-1.el6_2.noarch * katello-glue-foreman-0.1.317-1.el6_2.noarch * katello-glue-pulp-0.1.317-1.el6_2.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-0.1.10-1.el6.noarch * pulp-1.0.4-1.el6.noarch * pulp-common-1.0.4-1.el6.noarch * pulp-selinux-server-1.0.4-1.el6.noarch How reproducible: Steps to Reproduce: 1. Create organization + environment 2. Upload valid manifest and enable RHEL 6Server RPMS + SAM + CF Tools x86_64 3. Sync and promote product to first environment 4. Subscribe a plain vanilla RHEL 6.2 server with --autosubscribe 5. Install katello-agent 6. Install httpd to the client using the web ui Actual results: 2012-06-21 17:19:44,727 6835:139794577344256: pulp.server.api.consumer:INFO: consumer:411 Successfully updated package profile for consumer 41aa5b43-5efc-46d3-b2e2-be48ffd66e2e 2012-06-21 17:20:06,007 6835:139794577344256: pulp.server.api.consumer:INFO: consumer:411 Successfully updated package profile for consumer ca65aafc-cfaf-4f2d-9a7d-e7ae3fd4d275 2012-06-21 17:24:47,920 6835:139794566854400: pulp.server.api.consumer:INFO: consumer:411 Successfully updated package profile for consumer 570dbd91-d52f-4fb3-8541-f7e6845b3811 2012-06-21 17:26:47,606 6835:139795139610368: gofer.messaging.broker:INFO: broker:100 connecting: {localhost:5674}: transport=SSL host=localhost port=5674 cacert=/usr/share/katello/candlepin-cert.crt clientcert=/etc/pki/pulp/qpid_client_striped.crt 2012-06-21 17:26:48,210 6835:139795139610368: pulp.server.tasking.task:ERROR: task:468 Task failed: Task ce7cc70a-bbe7-11e1-b762-52540005c9e2: ConsumerApi.__installpackages(570dbd91-d52f-4fb3-8541-f7e6845b3811, ['httpd'], ) Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/pulp/server/tasking/task.py", line 414, in run result = self.callable(*self.args, **self.kwargs) File "/usr/lib/python2.6/site-packages/pulp/server/api/consumer.py", line 448, in __installpackages return packages.install(names, reboot) File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 72, in __call__ return self.stub._send(request, opts) File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 133, in _send return self.__send(request, options) File "/usr/lib/python2.6/site-packages/gofer/rmi/stub.py", line 164, in __send any=opts.any) File "/usr/lib/python2.6/site-packages/gofer/rmi/policy.py", line 138, in send **any) File "/usr/lib/python2.6/site-packages/gofer/messaging/producer.py", line 51, in send sender = self.session().sender(address) File "/usr/lib/python2.6/site-packages/gofer/messaging/endpoint.py", line 187, in session self.__session = self.ssnpool.get(self.url) File "/usr/lib/python2.6/site-packages/gofer/messaging/endpoint.py", line 55, in get con = broker.connect() File "/usr/lib/python2.6/site-packages/gofer/messaging/broker.py", line 102, in connect con.attach() File "<string>", line 6, in attach File "/usr/lib/python2.6/site-packages/qpid/messaging/endpoints.py", line 262, in attach self._ewait(lambda: self._transport_connected and not self._unlinked()) File "/usr/lib/python2.6/site-packages/qpid/messaging/endpoints.py", line 197, in _ewait self.check_error() File "/usr/lib/python2.6/site-packages/qpid/messaging/endpoints.py", line 190, in check_error raise self.error AuthenticationFailure: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_48' not found) Expected results: Package should be installed Additional info: