Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 621527 - qpid python (low level api) fails to authenticate using GSSAPI method claiming ('Unspecified GSS failure...') when Connection's 'service' parameter is not explicitly specified
qpid python (low level api) fails to authenticate using GSSAPI method claimin...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: python-qpid (Show other bugs)
beta
All Linux
medium Severity medium
: 1.3
: ---
Assigned To: Rafael H. Schloming
MRG Quality Engineering
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-05 07:32 EDT by Frantisek Reznicek
Modified: 2015-11-15 20:12 EST (History)
4 users (show)

See Also:
Fixed In Version: 0.10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-25 05:54:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frantisek Reznicek 2010-08-05 07:32:17 EDT
Description of problem:

This issue is more specific clone of bug 617477 which got CLOSED.

The qpid python client fails GSSAPI authentication when Connection's parameter 'service' is not explicitly supplied (user and
credentials are valid).
When Connection's parameter 'service' is specified, then authentication passes.

The observed GSSAPI layer error message does not help with rootcause analysis.


There are observed continuous failure of python qpid client on RHEL 5.5 i386 /
x86_64 following ways:


RHEL 5.5 i386: ('...Unspecified GSS failure.  Minor code
  may provide more information (Server not found in Kerberos database)')

  qc_client.py --conn-auth-mechanism GSSAPI -p 49759 --user
343u2psaofS6PpWa3hZMn --broker pogolinux-1.rhts.eng.rdu.redhat.com
  Cannot connect to the broker pogolinux-1.rhts.eng.rdu.redhat.com:49759
  Traceback (most recent call last):
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_lib.py",
line 236, in connect
      self.connection.start();
    File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 152, in
start
      raise ConnectionFailed(*self.close_code)
  ConnectionFailed: (None, 'SASL error: Error in sasl_client_start (-1)
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
  may provide more information (Server not found in Kerberos database)')
  Traceback (most recent call last):
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_client.py",
line 30, in ?
      sys.exit(main());
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_client.py",
line 18, in main
      qc.connect();
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_lib.py",
line 243, in connect
      raise QcException(e);
  qc_lib.QcException: <qpid.connection.ConnectionFailed instance at 0xb7dfb2ec>
  Exception qc_lib.QcException: <qc_lib.QcException instance at 0xb7dfb2ec> in
<bound method qc_client.__del__ of <qc_lib.qc_client object at 0xb7e9b
  c8c>> ignored
  ecode:1


RHEL 5.5 x86_64 ('...Unspecified GSS failure.  Minor code
  may provide more information (Unknown code krb5 7)'):

  qc_client.py --conn-auth-mechanism GSSAPI -p 41042 --user
EH0ncsAo3bT7EkT6XgBc --broker tyan-gt24-04.rhts.eng.bos.redhat.com
  Cannot connect to the broker tyan-gt24-04.rhts.eng.bos.redhat.com:41042
  Traceback (most recent call last):
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_lib.py",
line 236, in connect
      self.connection.start();
    File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 152, in
start
      raise ConnectionFailed(*self.close_code)
  ConnectionFailed: (None, 'SASL error: Error in sasl_client_start (-1)
SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code
  may provide more information (Unknown code krb5 7)')
  Traceback (most recent call last):
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_client.py",
line 30, in ?
      sys.exit(main());
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_client.py",
line 18, in main
      qc.connect();
    File
"/mnt/tests/distribution/MRG/Messaging/qpid_common/clients/python/qc_lib.py",
line 243, in connect
      raise QcException(e);
  qc_lib.QcException: <qpid.connection.ConnectionFailed instance at
0x2aedc7291d88>
  Exception qc_lib.QcException: <qc_lib.QcException instance at 0x9409dd0> in
<bound method qc_client.__del__ of <qc_lib.qc_client object at 0x2aedc7
  28b910>> ignored
  ecode:1




Version-Release number of selected component (if applicable):
python-qmf-0.7.946106-5.el5
python-qpid-0.7.946106-4.el5
python-saslwrapper-0.1.934605-2.el5
qmf-0.7.946106-6.el5
qmf-devel-0.7.946106-6.el5
qpid-cpp-client*-0.7.946106-6.el5
qpid-cpp-server*-0.7.946106-6.el5
qpid-java-*-0.7.946106-5.el5
qpid-tests-0.7.946106-1.el5
qpid-tools-0.7.946106-6.el5
  pending till
python-qmf-0.7.946106-8.el5
python-qpid-0.7.946106-11.el5
qmf-0.7.946106-11.el5
qmf-devel-0.7.946106-11.el5
qpid-cpp-client*-0.7.946106-11.el5
qpid-cpp-mrg-debuginfo-0.7.946106-11.el5
qpid-cpp-server*-0.7.946106-11.el5
qpid-java-client-0.7.946106-7.el5
qpid-java-common-0.7.946106-7.el5
qpid-tools-0.7.946106-8.el5
rh-qpid-cpp-tests-0.7.946106-11.el5
ruby-qmf-0.7.946106-11.el5
ruby-qpid-0.7.946106-2.el5

How reproducible:
100%

Steps to Reproduce:
0. All necessary kerberos, cyrus-sasl and saslwrapper packages are installed.
   Kerberos service is set-up for current machine for admin user
   admin@EXAMPLE.COM and unprivileged user EH0nc@EXAMPLE.COM

1. User get's his kerberos ticket using kinit
2. Broker (qpidd)  is started up with --auth yes
3. qpid python client is executed to get connection to the broker using GSSAPI
authentication:
   qc_client.py --conn-auth-mechanism GSSAPI -p 41042 --user EH0ncs \
                --broker tyan-gt24-04.rhts.eng.bos.redhat.com
Actual results:
Qpid python client (low level API) fails GSSAPI authentication under normal
conditions when it should pass.

Expected results:
Qpid python client (low level API) should pass GSSAPI authentication under
normal conditions.

Additional info:

Any client can be user for such purpose, functional case is:

  connection = Connection (sock=socket, 
                           username=options.auth_user, 
                           mechanism=options.conn_auth_mechanism, 
                           host=options.broker_host,
                           service='qpidd');

non functional case is to omit service parameter:

  connection = Connection (sock=socket, 
                           username=options.auth_user, 
                           mechanism=options.conn_auth_mechanism, 
                           host=options.broker_host);

Note You need to log in before you can comment on or make changes to this bug.