1315322 – krb5: after upgrade to 1.14 gssntlmssp fails to operate

Bug 1315322 - krb5: after upgrade to 1.14 gssntlmssp fails to operate

Summary: krb5: after upgrade to 1.14 gssntlmssp fails to operate

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Robbie Harwood
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-07 13:19 UTC by Nikos Mavrogiannopoulos
Modified:	2016-12-02 20:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-12-02 20:12:31 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nikos Mavrogiannopoulos 2016-03-07 13:19:52 UTC

Description of problem:
I upgraded to krb5 1.14 and since that point on test of ocserv component which was relying on gssntlmssp fails to run.


How reproducible:


Steps to Reproduce:
1. dnf install krb5-devel gssntlmssp
2. git clone https://gitlab.com/ocserv/ocserv.git
3. cd ocserv && ./configure && make -j4
4. cd tests && sudo ../src/ocserv -d 1 -f -c test-gssapi.config

Actual results:
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: The routine must be called again to complete its function
ocserv[21426]: gssapi: gss_acquire_cred[maj]: The token was a duplicate of an earlier token
ocserv[21426]: gssapi: gss_acquire_cred[maj]: The token's validity period has expired
ocserv[21426]: gssapi: gss_acquire_cred[maj]: A later token has already been processed
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An expected per-message token was not received
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[maj]: An invalid status code was supplied
ocserv[21426]: gssapi: gss_acquire_cred[min]: SPNEGO cannot find mechanisms to negotiate

Expected results:
The server should run in the foreground

Comment 1 Matt Rogers 2016-07-06 22:28:00 UTC

I tried to reproduce this with your instructions, and got the expected results. I built ocserv from the repo with HEAD at 5964c31d, with krb5 1.14 packages.

[vagrant@localhost ocserv]$ rpm -qa | grep krb5
krb5-libs-1.14.1-6.fc23.x86_64
krb5-devel-1.14.1-6.fc23.x86_64
[vagrant@localhost ocserv]$ cd tests/ && sudo ../src/ocserv -d 1 -f -c data/test-gssapi.config
Skipping unknown option 'cookie-validity'
Setting 'gssapi' as primary authentication method
Setting 'file' as supplemental config option
listening (TCP) on 0.0.0.0:4449...
listening (TCP) on [::]:4449...
listening (UDP) on 0.0.0.0:4449...
listening (UDP) on [::]:4449...
ocserv[612]: main: not using control unix socket
ocserv[612]: main: initialized ocserv 0.11.3
ocserv[613]: sec-mod: reading supplemental config from files
ocserv[613]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.612)
...^C
ocserv[612]: main: termination request received; waiting for children to die

Comment 2 Fedora End Of Life 2016-11-24 15:57:45 UTC

This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.