727863 – Add support for new xmlrpc-c API to do GSSAPI delegation

Bug 727863 - Add support for new xmlrpc-c API to do GSSAPI delegation

Summary: Add support for new xmlrpc-c API to do GSSAPI delegation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	certmonger
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Nalin Dahyabhai
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	719945
Blocks:	727864 729804
TreeView+	depends on / blocked

Reported:	2011-08-03 13:02 UTC by Rob Crittenden
Modified:	2011-12-06 17:37 UTC (History)
CC List:	4 users (show)
Fixed In Version:	certmonger-0.45-1.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	727864 (view as bug list)
Environment:
Last Closed:	2011-12-06 17:37:50 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:1708	0	normal	SHIPPED_LIVE	certmonger bug fix update	2011-12-06 01:02:28 UTC

Description Rob Crittenden 2011-08-03 13:02:16 UTC

Description of problem:

libcurl upstream dropped support for delegating Kerberos tickets. This was
applied to EL6 in bug https://bugzilla.redhat.com/show_bug.cgi?id=711454

certmonger needs to be able to delegate tickets via XML-RPC to authenticate with IPA using xmlrpc-c.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719938 was created to add a new API to libcurl to do delegation.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719945 was created to add a new api to xmlrpc-c to utilize this delegation feature.

certmonger needs to be updated to use the new xmlrpc-c API.

Version-Release number of selected component (if applicable):

certmonger-0.42-1

Comment 2 Nalin Dahyabhai 2011-08-05 21:53:21 UTC

It looks like the currently-proposed patch requires us to set "gss_delegate" to 1 in the right xmlrpc_curl_xportparms structure that we pass to xmlrpc_client_create().  We'll need to have the patch added to the xmlrpc-c package (preferably after it's integrated into upstream's tree) and to have that updated version of xmlrpc-c tagged into the buildroot before we can build a fixed certmonger.

I can make the code changes in certmonger before that, but they can't be tested properly without an xmlrpc-c.  Making the xmlrpc-c bug block this one.

Comment 5 Jenny Severance 2011-09-21 18:46:17 UTC

verified:

ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w Secret123 -U
--server=ipaqavme.testrelm
Discovery was successful!
Hostname: hp-dl380g6-01.testrelm
Realm: TESTRELM
DNS Domain: testrelm
IPA Server: ipaqavme.testrelm
BaseDN: dc=testrelm



Enrolled in IPA realm TESTRELM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM
Warning: Hostname (hp-dl380g6-01.testrelm) not found in DNS
DNS server record set to: hp-dl380g6-01.testrelm -> 10.16.65.39
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
[root@hp-dl380g6-01 ~]# kinit admin
Password for admin@TESTRELM: 
[root@hp-dl380g6-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM

Valid starting     Expires            Service principal
09/21/11 11:38:40  09/22/11 11:38:36  krbtgt/TESTRELM@TESTRELM


versions:

curl-7.19.7-26.el6_1.2.x86_64
xmlrpc-c-1.16.24-1200.1840.el6_1.4.x86_64
certmonger-0.46-1.el6.x86_64
ipa-client-2.1.1-3.el6.x86_64

Comment 6 errata-xmlrpc 2011-12-06 17:37:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1708.html

Note You need to log in before you can comment on or make changes to this bug.