Bug 727863 - Add support for new xmlrpc-c API to do GSSAPI delegation
Summary: Add support for new xmlrpc-c API to do GSSAPI delegation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: certmonger
Version: 6.2
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 719945
Blocks: 727864 729804
TreeView+ depends on / blocked
 
Reported: 2011-08-03 13:02 UTC by Rob Crittenden
Modified: 2011-12-06 17:37 UTC (History)
4 users (show)

Fixed In Version: certmonger-0.45-1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 727864 (view as bug list)
Environment:
Last Closed: 2011-12-06 17:37:50 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1708 normal SHIPPED_LIVE certmonger bug fix update 2011-12-06 01:02:28 UTC

Description Rob Crittenden 2011-08-03 13:02:16 UTC
Description of problem:

libcurl upstream dropped support for delegating Kerberos tickets. This was
applied to EL6 in bug https://bugzilla.redhat.com/show_bug.cgi?id=711454

certmonger needs to be able to delegate tickets via XML-RPC to authenticate with IPA using xmlrpc-c.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719938 was created to add a new API to libcurl to do delegation.

Bug https://bugzilla.redhat.com/show_bug.cgi?id=719945 was created to add a new api to xmlrpc-c to utilize this delegation feature.

certmonger needs to be updated to use the new xmlrpc-c API.

Version-Release number of selected component (if applicable):

certmonger-0.42-1

Comment 2 Nalin Dahyabhai 2011-08-05 21:53:21 UTC
It looks like the currently-proposed patch requires us to set "gss_delegate" to 1 in the right xmlrpc_curl_xportparms structure that we pass to xmlrpc_client_create().  We'll need to have the patch added to the xmlrpc-c package (preferably after it's integrated into upstream's tree) and to have that updated version of xmlrpc-c tagged into the buildroot before we can build a fixed certmonger.

I can make the code changes in certmonger before that, but they can't be tested properly without an xmlrpc-c.  Making the xmlrpc-c bug block this one.

Comment 5 Jenny Galipeau 2011-09-21 18:46:17 UTC
verified:

ipa-client-install --domain=testrelm --realm=TESTRELM -p admin -w Secret123 -U
--server=ipaqavme.testrelm
Discovery was successful!
Hostname: hp-dl380g6-01.testrelm
Realm: TESTRELM
DNS Domain: testrelm
IPA Server: ipaqavme.testrelm
BaseDN: dc=testrelm



Enrolled in IPA realm TESTRELM
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm TESTRELM
Warning: Hostname (hp-dl380g6-01.testrelm) not found in DNS
DNS server record set to: hp-dl380g6-01.testrelm -> 10.16.65.39
SSSD enabled
Kerberos 5 enabled
NTP enabled
Client configuration complete.
[root@hp-dl380g6-01 ~]# kinit admin
Password for admin@TESTRELM: 
[root@hp-dl380g6-01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@TESTRELM

Valid starting     Expires            Service principal
09/21/11 11:38:40  09/22/11 11:38:36  krbtgt/TESTRELM@TESTRELM


versions:

curl-7.19.7-26.el6_1.2.x86_64
xmlrpc-c-1.16.24-1200.1840.el6_1.4.x86_64
certmonger-0.46-1.el6.x86_64
ipa-client-2.1.1-3.el6.x86_64

Comment 6 errata-xmlrpc 2011-12-06 17:37:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1708.html


Note You need to log in before you can comment on or make changes to this bug.