Bug 999639 - HTTPClient gem auto-loads GSSAPI gem; errors out if no Kerberos ticket
HTTPClient gem auto-loads GSSAPI gem; errors out if no Kerberos ticket
Product: OpenShift Origin
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
Unspecified Linux
unspecified Severity medium
: ---
: ---
Assigned To: Jordan Liggitt
libra bugs
: UpcomingRelease
Depends On:
  Show dependency treegraph
Reported: 2013-08-21 14:36 EDT by Lynn Root
Modified: 2015-05-14 22:20 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-09-19 12:46:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lynn Root 2013-08-21 14:36:28 EDT
Description of problem:

When running `rhc setup` after installation, if the `gssapi` gem is installed on the user's machine, HTTPClient gem automatically requires `gssapi`. Before initiating the first request to the Broker, the gssapi gem will search for a Kerberos ticket locally on the user's machine.  If no ticket is found, then RHC will error out with a GSSAPI Error.

If a user has gssapi installed for another program/project/process/etc, RHC should not assume, at least before the first authenticated request, to use Negotiate and therefore trying to find the ticket cache.

This should pretty much only happen if the server only accepts Negotiate authentication.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. `gem install gssapi`
2. `gem install rhc`
3. `kdestroy` # make sure you don't have any ticket available
4. `rhc setup`

Actual results:

GSSAPI error is returned.

Expected results:

Prompt for user/password during the setup process.

Additional info:

This is because HTTPClient will always try to `require gssapi` (or `require win32/sspi` for windows).  

This is also all on the client side, meaning this does not ever ping the Broker for available auth methods.

I am working on the ability to ping the server for available authentication, as well as behavior when gssapi is purposefully installed for the use of Negotiate authentication.
Comment 1 Jessica Forrester 2013-09-10 14:16:07 EDT
I tried this on fedora 18, with these versions of the gems and couldn't reproduce it:

gssapi (1.1.2)
rhc (1.13.6)
httpclient (

It prompts me for the username/password.

What OS and gem versions were you using when you created the error?
Comment 2 Jordan Liggitt 2013-09-11 15:47:05 EDT
If the server supports negotiate and basic, httpclient will attempt to use gssapi if available.

To recreate, we have to enable Negotiate auth for the broker.

We need to catch the following types of errors encountered when initializing gssapi and fall back to basic:
- Kerberos doesn't know about the server (gssapi just happens to be installed)
- Kerberos doesn't have any tickets for that server
- Kerberos only has expired tickets for that server
Comment 3 Jordan Liggitt 2013-09-11 15:47:27 EDT
Will merge in https://github.com/openshift/rhc/pull/463
Comment 4 weiwei jiang 2013-09-13 06:07:19 EDT
Tested on windows 7 via rhc-1.13.6 & rhc-1.12.4, can not reproduce this issue.
Tried on windows 7 via rhc-1.14.6-build_from_devenv_3776, can not reproduce this issue.

And then try this issue on fedora(rhc-1.13.6 & rhc-1.14.6-build_from_devenv_3776), still can not reproduced this issue.

So I have to verified this bug, thx.
Comment 5 weiwei jiang 2013-09-13 06:32:01 EDT
Also tried on fedora 18 & windows 7 via latest rhc(rhc-1.15.0-build_from_devenv_3781), still can not reproduce.
Comment 6 Jordan Liggitt 2013-09-13 09:16:20 EDT
To reproduce:
1. Enable Negotiate authentication and basic authentication for the broker
2. Install the gssapi gem on the rhc client machine

Note You need to log in before you can comment on or make changes to this bug.