Bug 526285 - Other SASL authentication methods not tried after GSSAPI error
Summary: Other SASL authentication methods not tried after GSSAPI error
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 1.1.6
Hardware: All
OS: Linux
medium
high
Target Milestone: 1.3
: ---
Assignee: Ted Ross
QA Contact: Jan Sarenik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-29 16:31 UTC by Jan Sarenik
Modified: 2009-11-11 17:54 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-11 17:54:30 UTC


Attachments (Terms of Use)

Description Jan Sarenik 2009-09-29 16:31:10 UTC
Qpidd tries authentication mechanisms of SASL in order which
they are reported by the library* (see `sasl2-shared-mechlist'
from cyrus-sasl-devel package), but does not try other listed
mechanisms if the current method fails with an error.

  * If not defined via `mech_list' configuration option.
    See the reproduction instructions below.

This means that if I have GSSAPI SASL module installed but
Kerberos is not configured, I have to supply `--mechanism PLAIN'
parameter when running perftest to successfully authenticate
via PLAIN method on RHEL5.

On RHEL4 the available mechanisms are reported to qpidd
in different order which means that PLAIN is being
tried before GSSAPI and everything seems to work fine.

I would expect qpidd to try other mechanisms even if one
like GSSAPI fails.

To reproduce, first install the following packages:
  qpidd qpidc-perftest cyrus-sasl-gssapi cyrus-sasl-plain
Add a user to sasl2db:
  # saslpasswd2 -p -f /var/lib/qpidd/qpidd.sasldb -u localhost test <<<PASS
Run the broker:
  # service qpidd start
## Extra step to trigger the bug on RHEL4:
##  # echo "mech_list: GSSAPI PLAIN" >> /usr/lib/sasl2/qpidd.conf
Now run the perftest:
  # perftest --user test@localhost --password PASS --count 1

Versions used:
  qpidd-0.5.752581-26.el5
  qpidc-perftest-0.5.752581-26.el5
  cyrus-sasl-gssapi-2.1.22-5.el5
  cyrus-sasl-plain-2.1.22-5.el5
  cyrus-sasl-devel-2.1.22-5.el5 (used only for `sasl2-shared-mechlist')

The error messages I am getting are:
on RHEL5
-----------------------------------------------------------------------------
  # perftest --user testuser@localhost --password ahoj --count 1
2009-sep-29 18:10:11 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226)

internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226)
-----------------------------------------------------------------------------

on RHEL4
-----------------------------------------------------------------------------
  # perftest --user testuser@localhost --password ahoj --count=1
2009-sep-29 18:06:37 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) (qpid/client/SaslFactory.cpp:226)

internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (No credentials cache found) (qpid/client/SaslFactory.cpp:226)
-----------------------------------------------------------------------------

on RHEL5, qpidd -t
-----------------------------------------------------------------------------
...
2009-sep-29 18:28:53 info SASL enabled
2009-sep-29 18:28:53 notice Listening on TCP port 5672
2009-sep-29 18:28:53 info Registered replication exchange
2009-sep-29 18:28:53 notice Broker running
2009-sep-29 18:29:03 debug RECV [127.0.0.1:53467] INIT(0-10)
2009-sep-29 18:29:03 debug min_ssf: 0, max_ssf: 256
2009-sep-29 18:29:03 info SASL: Mechanism list: GSSAPI LOGIN ANONYMOUS PLAIN
2009-sep-29 18:29:03 trace SENT 127.0.0.1:53467 INIT(0-10)
2009-sep-29 18:29:03 trace SENT [127.0.0.1:53467]: Frame[BEbe; channel=0; {ConnectionStartBody: server-properties={qpid.federation_tag:V2:36:str16(836ecdb5-d9f7-4b8a-a50b-3c65a261f5f4)}; mechanisms=str16{V2:6:str16(GSSAPI), V2:5:str16(LOGIN), V2:9:str16(ANONYMOUS), V2:5:str16(PLAIN)}; locales=str16{V2:5:str16(en_US)}; }]
2009-sep-29 18:29:03 trace RECV [127.0.0.1:53467]: Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=501; reply-text=internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226); }]
2009-sep-29 18:29:03 warning Client closed connection with 501: internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found) (qpid/client/SaslFactory.cpp:226)
2009-sep-29 18:29:03 trace SENT [127.0.0.1:53467]: Frame[BEbe; channel=0; {ConnectionCloseOkBody: }]
-----------------------------------------------------------------------------

Comment 2 Ted Ross 2009-11-11 17:54:30 UTC
I'm closing this as Not-A-Bug.

When choosing the appropriate mechanism for use in authentication, the client takes the list of available mechanisms from the server, takes the intersection of that set with the set of acceptable mechanisms (usually any-mechanism or a specific one) and allows the SASL library to choose the best from the pared-down list.

If authentication fails, then the connection closes and the client application must correct the situation and try again.  It is not appropriate for the client to automatically try more than one mechanism for a connection.

-Ted


Note You need to log in before you can comment on or make changes to this bug.