Bug 585866 - qpid python client hangs in connection_start() when GSSAPI authentication fails because of invalid krb ticket
qpid python client hangs in connection_start() when GSSAPI authentication fai...
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: python-qpid (Show other bugs)
Development
All Linux
medium Severity high
: 1.3
: ---
Assigned To: Gordon Sim
Frantisek Reznicek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-26 06:07 EDT by Frantisek Reznicek
Modified: 2015-11-15 20:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The testing client (9.87 KB, application/x-tbz)
2010-04-26 06:16 EDT, Frantisek Reznicek
no flags Details

  None (edit)
Description Frantisek Reznicek 2010-04-26 06:07:10 EDT
Description of problem:

There are observed issues with qpid python client trying to authenticate using GSSAPI method when GSSAPI/kerberos ticket is not available/valid.

More precisely the observation proves that GSSAP authentication passes when kerberos ticket is available and valid, but when the same command == authentication test is re-run after kdestroy (kerberos ticket cache cleared) then qpid python client hangs in connection_start():

qc_client.py --conn-auth-mechanism GSSAPI -p 43942 --user 0K1TJvtuRzC8n4QjUKSparV --broker mrg-qe-02.lab.eng.brq.redhat.com
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib64/python2.4/threading.py", line 442, in __bootstrap
    self.run()
  File "/usr/lib64/python2.4/threading.py", line 422, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 179, in run
    self.delegate.received(op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 52, in received
    getattr(self, op.NAME)(ch, op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 213, in connection_start
    raise Closed("SASL error: %s" % self.sasl.getError())
Closed: SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide mor
e information (Unknown code krb5 195)


I believe message might be correct, but client then stops operation and hangs, even the connection timeout does not end this.

Above behavior was detected on both RHEL 5.5. i386 and x86_64.


Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. set-up kerberos
2. run broker with authentication (--auth yes)
3. perform kinit <user>
4. perform client test
   qc_client.py --conn-auth-mechanism GSSAPI -p 35585 
                --user <existing-user> --broker <broker-host>
   expect everything ok  
5. perform kdestroy
6. perform client test the same as in point 4.
   behavior - hang in connection_start()

Actual results:
qpid python client hangs in connection_start() when GSSAPI authentication fails because of invalid krb ticket.

Expected results:
qpid python client should not hang when GSSAPI authentication fails because of invalid krb ticket.

Additional info:

Example of client run:

qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com
qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.4/threading.py", line 442, in __bootstrap
    self.run()
  File "/usr/lib/python2.4/threading.py", line 422, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 179, in run
    self.delegate.received(op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 52, in received
    getattr(self, op.NAME)(ch, op)
  File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 213, in connection_start
    raise Closed("SASL error: %s" % self.sasl.getError())
Closed: SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide mor
e information (No credentials cache found)

qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com
Comment 1 Frantisek Reznicek 2010-04-26 06:13:57 EDT
Issue seen on packages:
[root@mrg-qe-02 qpid_ptest_authentication_krb5]# [root@mrg-qe-02 1]# rpm -qa |
grep -E '(qpid|sasl)' | sort -u
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-devel-2.1.22-5.el5_4.3
cyrus-sasl-gssapi-2.1.22-5.el5_4.3
cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
python-qpid-0.7.934605-1.el5
python-saslwrapper-0.1.934605-1.el5
qpid-cpp-client-0.7.935473-1.el5
qpid-cpp-client-devel-0.7.935473-1.el5
qpid-cpp-client-devel-docs-0.7.935473-1.el5
qpid-cpp-client-ssl-0.7.935473-1.el5
qpid-cpp-mrg-debuginfo-0.7.935473-1.el5
qpid-cpp-server-0.7.935473-1.el5
qpid-cpp-server-cluster-0.7.935473-1.el5
qpid-cpp-server-devel-0.7.935473-1.el5
qpid-cpp-server-ssl-0.7.935473-1.el5
qpid-cpp-server-store-0.7.935473-1.el5
qpid-cpp-server-xml-0.7.935473-1.el5
qpid-java-client-0.7.934605-1.el5
qpid-java-common-0.7.934605-1.el5
qpid-tests-0.7.930108-1.el5
qpid-tools-0.7.934605-2.el5
ruby-qpid-0.7.935473-1.el5
ruby-saslwrapper-0.1.934605-1.el5
saslwrapper-0.1.934605-1.el5
saslwrapper-devel-0.1.934605-1.el5
Comment 2 Frantisek Reznicek 2010-04-26 06:16:59 EDT
Created attachment 409130 [details]
The testing client
Comment 3 Gordon Sim 2010-04-27 12:50:42 EDT
Fixed in r938558.
Comment 4 Frantisek Reznicek 2010-06-02 04:54:50 EDT
The issue has been fixed, tested on RHEL 5.5 i386 / x86_64 on packages:
python-qpid-0.7.946106-1.el5
qpid-cpp-client-0.7.946106-2.el5
qpid-cpp-client-devel-0.7.946106-2.el5
qpid-cpp-client-devel-docs-0.7.946106-2.el5
qpid-cpp-client-ssl-0.7.946106-2.el5
qpid-cpp-mrg-debuginfo-0.7.946106-1.el5
qpid-cpp-server-0.7.946106-2.el5
qpid-cpp-server-cluster-0.7.946106-2.el5
qpid-cpp-server-devel-0.7.946106-2.el5
qpid-cpp-server-ssl-0.7.946106-2.el5
qpid-cpp-server-store-0.7.946106-2.el5
qpid-cpp-server-xml-0.7.946106-2.el5
qpid-java-client-0.7.946106-3.el5
qpid-java-common-0.7.946106-3.el5
qpid-tests-0.7.946106-1.el5
qpid-tools-0.7.946106-4.el5
ruby-qpid-0.7.946106-1.el5

-> VERIFIED

Note You need to log in before you can comment on or make changes to this bug.