1361223 – [AAA] Missing principal name option for keytab usage on kerberos

Bug 1361223 - [AAA] Missing principal name option for keytab usage on kerberos

Summary: [AAA] Missing principal name option for keytab usage on kerberos

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	AAA
Sub Component:
Version:	4.0.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	ovirt-4.1.1
Target Release:	4.1.1.2
Assignee:	Martin Perina
QA Contact:	Gonza
Docs Contact:
URL:
Whiteboard:
Depends On:	1322940
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-28 14:29 UTC by Gonza
Modified:	2020-03-11 15:14 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-04-21 09:35:14 UTC
oVirt Team:	Infra
Embargoed:
Dependent Products:
Flags:	rule-engine: ovirt-4.1+ rule-engine: exception+ mgoldboi: planning_ack+ mperina: devel_ack+ pstehlik: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
oVirt gerrit	61655	0	master	MERGED	aaa: Allow define principal name for GSSAPI over JAAS	2017-02-10 07:27:57 UTC
oVirt gerrit	72086	0	ovirt-engine-4.1	MERGED	aaa: Allow define principal name for GSSAPI over JAAS	2017-02-13 12:07:09 UTC

Description Gonza 2016-07-28 14:29:01 UTC

Description of problem:
When user from IPA server tries to authenticate using keytab file from kerberos, AAA fails to initialize the JAAS login context for GSSAPI authentication.

Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.noarch
eap7-wildfly-7.0.1-4.GA_redhat_2.1.ep7.el7.noarch.rpm 
rhevm-4.0.2-0.1.rc.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Get keytab file from kdc and copy to engine:
 $ ipa-getkeytab -s ipa.redhat.com -p admin -k /tmp/admin.keytab
 $ scp /tmp/vdcadmin.keytab root@host:/tmp/vdcadmin.keytab
 $ chmod +r /tmp/vdcadmin.keytab
2. Configure engine to use gssapi + keytab file
3. Restart engine

Actual results:
An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication

Expected results:
AAA is able to initialize the LDAP framework

Additional info (workaround):
We should include the module option "principal":
<module-option name="principal" value="admin"/>
to the security domain oVirtKerbAAA under /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in

Comment 1 Martin Perina 2016-11-03 12:05:14 UTC

We were not able to reproduce the issue, JAAS login always worked fine even without specifying principal name. Feel free to reopen, if you will be able to reproduce the issue.

Comment 7 Gonza 2017-04-06 13:16:24 UTC

Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch
rhevm-4.1.1.6-0.1.el7.noarch

Note You need to log in before you can comment on or make changes to this bug.