Qpidd tries authentication mechanisms of SASL in order which they are reported by the library* (see `sasl2-shared-mechlist' from cyrus-sasl-devel package), but does not try other listed mechanisms if the current method fails with an error. * If not defined via `mech_list' configuration option. See the reproduction instructions below. This means that if I have GSSAPI SASL module installed but Kerberos is not configured, I have to supply `--mechanism PLAIN' parameter when running perftest to successfully authenticate via PLAIN method on RHEL5. On RHEL4 the available mechanisms are reported to qpidd in different order which means that PLAIN is being tried before GSSAPI and everything seems to work fine. I would expect qpidd to try other mechanisms even if one like GSSAPI fails. To reproduce, first install the following packages: qpidd qpidc-perftest cyrus-sasl-gssapi cyrus-sasl-plain Add a user to sasl2db: # saslpasswd2 -p -f /var/lib/qpidd/qpidd.sasldb -u localhost test <<<PASS Run the broker: # service qpidd start ## Extra step to trigger the bug on RHEL4: ## # echo "mech_list: GSSAPI PLAIN" >> /usr/lib/sasl2/qpidd.conf Now run the perftest: # perftest --user test@localhost --password PASS --count 1 Versions used: qpidd-0.5.752581-26.el5 qpidc-perftest-0.5.752581-26.el5 cyrus-sasl-gssapi-2.1.22-5.el5 cyrus-sasl-plain-2.1.22-5.el5 cyrus-sasl-devel-2.1.22-5.el5 (used only for `sasl2-shared-mechlist') The error messages I am getting are: on RHEL5 ----------------------------------------------------------------------------- # perftest --user testuser@localhost --password ahoj --count 1 2009-sep-29 18:10:11 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226) internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226) ----------------------------------------------------------------------------- on RHEL4 ----------------------------------------------------------------------------- # perftest --user testuser@localhost --password ahoj --count=1 2009-sep-29 18:06:37 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) (qpid/client/SaslFactory.cpp:226) internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) (qpid/client/SaslFactory.cpp:226) ----------------------------------------------------------------------------- on RHEL5, qpidd -t ----------------------------------------------------------------------------- ... 2009-sep-29 18:28:53 info SASL enabled 2009-sep-29 18:28:53 notice Listening on TCP port 5672 2009-sep-29 18:28:53 info Registered replication exchange 2009-sep-29 18:28:53 notice Broker running 2009-sep-29 18:29:03 debug RECV [127.0.0.1:53467] INIT(0-10) 2009-sep-29 18:29:03 debug min_ssf: 0, max_ssf: 256 2009-sep-29 18:29:03 info SASL: Mechanism list: GSSAPI LOGIN ANONYMOUS PLAIN 2009-sep-29 18:29:03 trace SENT 127.0.0.1:53467 INIT(0-10) 2009-sep-29 18:29:03 trace SENT [127.0.0.1:53467]: Frame[BEbe; channel=0; {ConnectionStartBody: server-properties={qpid.federation_tag:V2:36:str16(836ecdb5-d9f7-4b8a-a50b-3c65a261f5f4)}; mechanisms=str16{V2:6:str16(GSSAPI), V2:5:str16(LOGIN), V2:9:str16(ANONYMOUS), V2:5:str16(PLAIN)}; locales=str16{V2:5:str16(en_US)}; }] 2009-sep-29 18:29:03 trace RECV [127.0.0.1:53467]: Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=501; reply-text=internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226); }] 2009-sep-29 18:29:03 warning Client closed connection with 501: internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226) 2009-sep-29 18:29:03 trace SENT [127.0.0.1:53467]: Frame[BEbe; channel=0; {ConnectionCloseOkBody: }] -----------------------------------------------------------------------------
I'm closing this as Not-A-Bug. When choosing the appropriate mechanism for use in authentication, the client takes the list of available mechanisms from the server, takes the intersection of that set with the set of acceptable mechanisms (usually any-mechanism or a specific one) and allows the SASL library to choose the best from the pared-down list. If authentication fails, then the connection closes and the client application must correct the situation and try again. It is not appropriate for the client to automatically try more than one mechanism for a connection. -Ted