Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1361223

Summary: [AAA] Missing principal name option for keytab usage on kerberos
Product: [oVirt] ovirt-engine Reporter: Gonza <grafuls>
Component: AAAAssignee: Martin Perina <mperina>
Status: CLOSED CURRENTRELEASE QA Contact: Gonza <grafuls>
Severity: high Docs Contact:
Priority: high    
Version: 4.0.2CC: audgiri, bugs, gklein, mgoldboi, mperina, omachace, oourfali, pstehlik
Target Milestone: ovirt-4.1.1Keywords: Reopened, ZStream
Target Release: 4.1.1.2Flags: rule-engine: ovirt-4.1+
rule-engine: exception+
mgoldboi: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In BZ1322940 we have provided a way how to reuse GSSAPI configuration provided by application server. This fix adds an option how to specify principal name if multiple principal names are present within configured keytab. This principal name can be specified using following variable: AAA_JAAS_PRINCIPAL_NAME=principal_name By default principal name is empty, which works fine for cases where only one principal is defined in specified keytab (most common cases). To use that option, the user has to create a new configuration file and specify the correct values for GSSAPI variables (more information in BZ1322940), for example: /etc/ovirt-engine/engine.conf.d/99-jaas.conf.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-21 09:35:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1322940    
Bug Blocks:    

Description Gonza 2016-07-28 14:29:01 UTC 
Description of problem:
When user from IPA server tries to authenticate using keytab file from kerberos, AAA fails to initialize the JAAS login context for GSSAPI authentication.

Version-Release number of selected component (if applicable):
ovirt-engine-extension-aaa-ldap-1.2.1-1.el7ev.noarch
eap7-wildfly-7.0.1-4.GA_redhat_2.1.ep7.el7.noarch.rpm 
rhevm-4.0.2-0.1.rc.el7ev.noarch

How reproducible:
100%

Steps to Reproduce:
1. Get keytab file from kdc and copy to engine:
 $ ipa-getkeytab -s ipa.redhat.com -p admin -k /tmp/admin.keytab
 $ scp /tmp/vdcadmin.keytab root@host:/tmp/vdcadmin.keytab
 $ chmod +r /tmp/vdcadmin.keytab
2. Configure engine to use gssapi + keytab file
3. Restart engine

Actual results:
An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication

Expected results:
AAA is able to initialize the LDAP framework

Additional info (workaround):
We should include the module option "principal":
<module-option name="principal" value="admin"/>
to the security domain oVirtKerbAAA under /usr/share/ovirt-engine/services/ovirt-engine/ovirt-engine.xml.in
Comment 1 Martin Perina 2016-11-03 12:05:14 UTC 
We were not able to reproduce the issue, JAAS login always worked fine even without specifying principal name. Feel free to reopen, if you will be able to reproduce the issue.
Comment 7 Gonza 2017-04-06 13:16:24 UTC 
Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-1.el7ev.noarch
rhevm-4.1.1.6-0.1.el7.noarch