Bug 585866 - qpid python client hangs in connection_start() when GSSAPI authentication fails because of invalid krb ticket
Summary: qpid python client hangs in connection_start() when GSSAPI authentication fai...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: python-qpid   
(Show other bugs)
Version: Development
Hardware: All Linux
medium
high
Target Milestone: 1.3
: ---
Assignee: Gordon Sim
QA Contact: Frantisek Reznicek
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-26 10:07 UTC by Frantisek Reznicek
Modified: 2015-11-16 01:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The testing client (9.87 KB, application/x-tbz)
2010-04-26 10:16 UTC, Frantisek Reznicek
no flags Details

Description Frantisek Reznicek 2010-04-26 10:07:10 UTC
Description of problem:

There are observed issues with qpid python client trying to authenticate using GSSAPI method when GSSAPI/kerberos ticket is not available/valid.

More precisely the observation proves that GSSAP authentication passes when kerberos ticket is available and valid, but when the same command == authentication test is re-run after kdestroy (kerberos ticket cache cleared) then qpid python client hangs in connection_start():

qc_client.py --conn-auth-mechanism GSSAPI -p 43942 --user 0K1TJvtuRzC8n4QjUKSparV --broker mrg-qe-02.lab.eng.brq.redhat.com
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib64/python2.4/threading.py", line 442, in __bootstrap
    self.run()
  File "/usr/lib64/python2.4/threading.py", line 422, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 179, in run
    self.delegate.received(op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 52, in received
    getattr(self, op.NAME)(ch, op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 213, in connection_start
    raise Closed("SASL error: %s" % self.sasl.getError())
Closed: SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide mor
e information (Unknown code krb5 195)


I believe message might be correct, but client then stops operation and hangs, even the connection timeout does not end this.

Above behavior was detected on both RHEL 5.5. i386 and x86_64.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. set-up kerberos
2. run broker with authentication (--auth yes)
3. perform kinit <user>
4. perform client test
   qc_client.py --conn-auth-mechanism GSSAPI -p 35585 
                --user <existing-user> --broker <broker-host>
   expect everything ok  
5. perform kdestroy
6. perform client test the same as in point 4.
   behavior - hang in connection_start()

Actual results:
qpid python client hangs in connection_start() when GSSAPI authentication fails because of invalid krb ticket.

Expected results:
qpid python client should not hang when GSSAPI authentication fails because of invalid krb ticket.

Additional info:

Example of client run:

qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com
qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.4/threading.py", line 442, in __bootstrap
    self.run()
  File "/usr/lib/python2.4/threading.py", line 422, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 179, in run
    self.delegate.received(op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 52, in received
    getattr(self, op.NAME)(ch, op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 213, in connection_start
    raise Closed("SASL error: %s" % self.sasl.getError())
Closed: SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide mor
e information (No credentials cache found)

qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com

Comment 1 Frantisek Reznicek 2010-04-26 10:13:57 UTC
Issue seen on packages:
[root@mrg-qe-02 qpid_ptest_authentication_krb5]# [root@mrg-qe-02 1]# rpm -qa |
grep -E '(qpid|sasl)' | sort -u
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-gssapi-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
python-qpid-0.7.934605-1.el5
python-saslwrapper-0.1.934605-1.el5
qpid-cpp-client-0.7.935473-1.el5
qpid-cpp-client-devel-0.7.935473-1.el5
qpid-cpp-client-devel-docs-0.7.935473-1.el5
qpid-cpp-client-ssl-0.7.935473-1.el5
qpid-cpp-mrg-debuginfo-0.7.935473-1.el5
qpid-cpp-server-0.7.935473-1.el5
qpid-cpp-server-cluster-0.7.935473-1.el5
qpid-cpp-server-devel-0.7.935473-1.el5
qpid-cpp-server-ssl-0.7.935473-1.el5
qpid-cpp-server-store-0.7.935473-1.el5
qpid-cpp-server-xml-0.7.935473-1.el5
qpid-java-client-0.7.934605-1.el5
qpid-java-common-0.7.934605-1.el5
qpid-tests-0.7.930108-1.el5
qpid-tools-0.7.934605-2.el5
ruby-qpid-0.7.935473-1.el5
ruby-saslwrapper-0.1.934605-1.el5
saslwrapper-0.1.934605-1.el5
saslwrapper-devel-0.1.934605-1.el5

Comment 2 Frantisek Reznicek 2010-04-26 10:16:59 UTC
Created attachment 409130 [details]
The testing client

Comment 3 Gordon Sim 2010-04-27 16:50:42 UTC
Fixed in r938558.

Comment 4 Frantisek Reznicek 2010-06-02 08:54:50 UTC
The issue has been fixed, tested on RHEL 5.5 i386 / x86_64 on packages:
python-qpid-0.7.946106-1.el5
qpid-cpp-client-0.7.946106-2.el5
qpid-cpp-client-devel-0.7.946106-2.el5
qpid-cpp-client-devel-docs-0.7.946106-2.el5
qpid-cpp-client-ssl-0.7.946106-2.el5
qpid-cpp-mrg-debuginfo-0.7.946106-1.el5
qpid-cpp-server-0.7.946106-2.el5
qpid-cpp-server-cluster-0.7.946106-2.el5
qpid-cpp-server-devel-0.7.946106-2.el5
qpid-cpp-server-ssl-0.7.946106-2.el5
qpid-cpp-server-store-0.7.946106-2.el5
qpid-cpp-server-xml-0.7.946106-2.el5
qpid-java-client-0.7.946106-3.el5
qpid-java-common-0.7.946106-3.el5
qpid-tests-0.7.946106-1.el5
qpid-tools-0.7.946106-4.el5
ruby-qpid-0.7.946106-1.el5

-> VERIFIED


Note You need to log in before you can comment on or make changes to this bug.