Bug 727863 - Add support for new xmlrpc-c API to do GSSAPI delegation
Summary: Add support for new xmlrpc-c API to do GSSAPI delegation
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: certmonger
Version: 6.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
Depends On: 719945
Blocks: 727864 729804
TreeView+ depends on / blocked
Reported: 2011-08-03 13:02 UTC by Rob Crittenden
Modified: 2011-12-06 17:37 UTC (History)
4 users (show)

Fixed In Version: certmonger-0.45-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 727864 (view as bug list)
Last Closed: 2011-12-06 17:37:50 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1708 normal SHIPPED_LIVE certmonger bug fix update 2011-12-06 01:02:28 UTC

Description Rob Crittenden 2011-08-03 13:02:16 UTC
Description of problem:

libcurl upstream dropped support for delegating Kerberos tickets. This was
applied to EL6 in bug https://bugzilla.redhat.com/show_bug.cgi?id=711454

certmonger needs to be able to delegate tickets via XML-RPC to authenticate with IPA using xmlrpc-c.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719938 was created to add a new API to libcurl to do delegation.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719945 was created to add a new api to xmlrpc-c to utilize this delegation feature.

certmonger needs to be updated to use the new xmlrpc-c API.

Version-Release number of selected component (if applicable):


Comment 2 Nalin Dahyabhai 2011-08-05 21:53:21 UTC
It looks like the currently-proposed patch requires us to set "gss_delegate" to 1 in the right xmlrpc_curl_xportparms structure that we pass to xmlrpc_client_create().  We'll need to have the patch added to the xmlrpc-c package (preferably after it's integrated into upstream's tree) and to have that updated version of xmlrpc-c tagged into the buildroot before we can build a fixed certmonger.

I can make the code changes in certmonger before that, but they can't be tested properly without an xmlrpc-c.  Making the xmlrpc-c bug block this one.

Comment 5 Jenny Galipeau 2011-09-21 18:46:17 UTC

ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w Secret123 -U
Discovery was successful!
Hostname: hp-dl380g6-01.testrelm
DNS Domain: testrelm
IPA Server: ipaqavme.testrelm
BaseDN: dc=testrelm

Enrolled in IPA realm TESTRELM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM
Warning: Hostname (hp-dl380g6-01.testrelm) not found in DNS
DNS server record set to: hp-dl380g6-01.testrelm ->
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
[root@hp-dl380g6-01 ~]# kinit admin
Password for admin@TESTRELM: 
[root@hp-dl380g6-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM

Valid starting     Expires            Service principal
09/21/11 11:38:40  09/22/11 11:38:36  krbtgt/TESTRELM@TESTRELM



Comment 6 errata-xmlrpc 2011-12-06 17:37:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.