Bug 1315322 - krb5: after upgrade to 1.14 gssntlmssp fails to operate
krb5: after upgrade to 1.14 gssntlmssp fails to operate
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
23
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Robbie Harwood
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-07 08:19 EST by Nikos Mavrogiannopoulos
Modified: 2016-12-02 15:12 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-02 15:12:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nikos Mavrogiannopoulos 2016-03-07 08:19:52 EST
Description of problem:
I upgraded to krb5 1.14 and since that point on test of ocserv component which was relying on gssntlmssp fails to run.


How reproducible:


Steps to Reproduce:
1. dnf install krb5-devel gssntlmssp
2. git clone https://gitlab.com/ocserv/ocserv.git
3. cd ocserv && ./configure && make -j4
4. cd tests && sudo ../src/ocserv -d 1 -f -c test-gssapi.config

Actual results:
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: The routine must be called again to complete its function
ocserv[21426]: gssapi: gss_acquire_cred[maj]: The token was a duplicate of an earlier token
ocserv[21426]: gssapi: gss_acquire_cred[maj]: The token's validity period has expired
ocserv[21426]: gssapi: gss_acquire_cred[maj]: A later token has already been processed
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An expected per-message token was not received
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[min]: SPNEGO cannot find mechanisms to negotiate

Expected results:
The server should run in the foreground
Comment 1 Matt Rogers 2016-07-06 18:28:00 EDT
I tried to reproduce this with your instructions, and got the expected results. I built ocserv from the repo with HEAD at 5964c31d, with krb5 1.14 packages.

[vagrant@localhost ocserv]$ rpm -qa | grep krb5
krb5-libs-1.14.1-6.fc23.x86_64
krb5-devel-1.14.1-6.fc23.x86_64
[vagrant@localhost ocserv]$ cd tests/ && sudo ../src/ocserv -d 1 -f -c data/test-gssapi.config
Skipping unknown option 'cookie-validity'
Setting 'gssapi' as primary authentication method
Setting 'file' as supplemental config option
listening (TCP) on 0.0.0.0:4449...
listening (TCP) on [::]:4449...
listening (UDP) on 0.0.0.0:4449...
listening (UDP) on [::]:4449...
ocserv[612]: main: not using control unix socket
ocserv[612]: main: initialized ocserv 0.11.3
ocserv[613]: sec-mod: reading supplemental config from files
ocserv[613]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.612)
...^C
ocserv[612]: main: termination request received; waiting for children to die
Comment 2 Fedora End Of Life 2016-11-24 10:57:45 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.