Bug 472519 - GSSAPI Support is needed for oVirt 1.0
GSSAPI Support is needed for oVirt 1.0
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-qmf (Show other bugs)
All Linux
urgent Severity medium
: 1.1.1
: ---
Assigned To: Gordon Sim
Jeff Needle
: 445747 453528 (view as bug list)
Depends On:
Blocks: 445749 476716
  Show dependency treegraph
Reported: 2008-11-21 08:43 EST by Chris Pelland
Modified: 2016-04-26 10:25 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-18 04:42:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Initial patch for qpidd and qpic c++ client (67.57 KB, patch)
2008-12-12 16:53 EST, Gordon Sim
no flags Details | Diff
SASL authentication and encryption for qpidd and c++ client (76.98 KB, patch)
2008-12-16 13:01 EST, Gordon Sim
no flags Details | Diff
Automated test (2.80 KB, text/plain)
2009-04-14 10:45 EDT, Jan Sarenik
no flags Details

  None (edit)
Description Chris Pelland 2008-11-21 08:43:15 EST
The oVirt 1.0 development team requires GSSAPI Support by the end of December 08'.
Comment 1 Perry Myers 2008-12-09 14:53:30 EST
For oVirt GSSAPI support needs to be added to the C++ and Ruby clients as well as qpidd.
Comment 2 Gordon Sim 2008-12-12 16:53:25 EST
Created attachment 326785 [details]
Initial patch for qpidd and qpic c++ client
Comment 3 Gordon Sim 2008-12-16 13:01:24 EST
Created attachment 327139 [details]
SASL authentication and encryption for qpidd and c++ client

Includes support for security layer over RDMA. There are new min/max ssf (security strength factor) options for the client to control the strength of the negotiated security layer.
Comment 4 Gordon Sim 2008-12-16 13:16:22 EST
Support from ruby client tracked by dependent BZ476716.
Comment 5 Gordon Sim 2008-12-16 13:25:30 EST
*** Bug 445747 has been marked as a duplicate of this bug. ***
Comment 6 Gordon Sim 2008-12-16 13:27:09 EST
*** Bug 453528 has been marked as a duplicate of this bug. ***
Comment 7 Gordon Sim 2009-01-07 07:17:42 EST
Committed as r732093.

Note to use gssapi you need to install the cyrus-sasl-gssapi package (and make sure your configured mech-list if any does not exclude gssapi).

Then you need to have a kdc configured for use with the qpidd service. Below are some notes on what I did to set up a simple test environment (on mrg15). I am not very knowledgeable about kerberos admin so this shouldn't be read as best practice, but may be useful to QE etc. Most of what I found out came from: http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/

Broadly, the steps are: install the packages, edit the config file, create an admin account, start the services, add the user principal(s), add a service principal for qpidd, create a key tab for the service principal, ensure that your qpidd instance can read the key tab, kinit the client shell and then specify --mechanism GSSAPI to any of the tests (you also probably need to specify the --broker to match the hostname your service principal is configured with).

In a bit more detail:

The package you need for a kdc is krb5-server (you also need krb5-libs but that is included by default I think in most cases).

Then you edit the /ect/krb5.conf file (e.g. see the one I used on mrg15) and add an entry to /var/Kerberos/krb5kdc/kadm5.acl to grant administrative access. I simply added the following line:

*/admin@QPID_TEST       *

which I believe grants all rights to any account that ends with '/admin'. 

You then create that admin user, e.g.:

/usr/Kerberos/sbin/kadmin.local -q "addprinc admin/admin"

Then you start the services krb5kdc and kadmin.

Then you create (a) user account(s) using the kadmin.local tool. This starts an interactive 'shell' and the command to do so is: addprinc <username>.

You also need a principal for the qpidd service. I used: addprinc -randkey qpidd/mrg15.lab.bos.redhat.com for that. Then you export a keytab entry for that principal with the ktadd command, e.g.: ktadd qpidd/mrg15.lab.bos.redhat.com. This is /etc/krb5.keytab by default and the qpidd server must be able to access it (I ran my qpidd as root for this).
Comment 9 Jan Sarenik 2009-02-19 05:04:56 EST
Verified on RHEL5.i386,

Will verify on X86_64 soon, so far
full script follows:
# make sure you have everything installed -
# yum install krb5-server krb5-workstation qpidd qpidc-perftest


cat > /etc/krb5.conf <<EOF
    default_realm = $REALM

    $REALM = {
        kdc = $FQDN
        admin_server = $FQDN

    .redhat.com = $REALM

    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
cat > /var/kerberos/krb5kdc/kdc.conf <<EOF
 v4_mode = nopreauth
 kdc_tcp_ports = 88

 $REALM = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
cat > /var/kerberos/krb5kdc/kadm5.acl <<EOF
*/admin@$REALM       *
kdb5_util create -s
kadmin.local -q 'addprinc admin/admin'
/etc/init.d/krb5kdc start
/etc/init.d/kadmin start
kinit admin/admin
kadmin -q "addprinc -randkey qpidd/$FQDN"
kadmin -q "ktadd qpidd/$FQDN"
kadmin -q "addprinc $USERNAME"
qpidd --auth yes --realm $REALM &
perftest -b $FQDN --mechanism GSSAPI --username $USERNAME --tx 1

and the clean-up:
pkill qpidd
/etc/init.d/krb5kdc stop
/etc/init.d/kadmin stop
rm -rfv /etc/krb5*
rm -rfv /var/kerberos/krb5kdc/{.k*,*}
Comment 10 Jan Sarenik 2009-02-23 07:33:57 EST
Verified on both i386 and x86_64, both RHEL4.7 and RHEL5.3,

The package cyrus-sasl-gssapi as also vital and I did not
mention it earlier.


Comment 11 Jan Sarenik 2009-04-14 10:45:54 EDT
Created attachment 339507 [details]
Automated test

Something like this will be added to RHTS soon.
Tested on both RHELs (4 and 5).

Note You need to log in before you can comment on or make changes to this bug.