Red Hat Bugzilla – Bug 999639
HTTPClient gem auto-loads GSSAPI gem; errors out if no Kerberos ticket
Last modified: 2015-05-14 22:20:52 EDT
Description of problem:
When running `rhc setup` after installation, if the `gssapi` gem is installed on the user's machine, HTTPClient gem automatically requires `gssapi`. Before initiating the first request to the Broker, the gssapi gem will search for a Kerberos ticket locally on the user's machine. If no ticket is found, then RHC will error out with a GSSAPI Error.
If a user has gssapi installed for another program/project/process/etc, RHC should not assume, at least before the first authenticated request, to use Negotiate and therefore trying to find the ticket cache.
This should pretty much only happen if the server only accepts Negotiate authentication.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. `gem install gssapi`
2. `gem install rhc`
3. `kdestroy` # make sure you don't have any ticket available
4. `rhc setup`
GSSAPI error is returned.
Prompt for user/password during the setup process.
This is because HTTPClient will always try to `require gssapi` (or `require win32/sspi` for windows).
This is also all on the client side, meaning this does not ever ping the Broker for available auth methods.
I am working on the ability to ping the server for available authentication, as well as behavior when gssapi is purposefully installed for the use of Negotiate authentication.
I tried this on fedora 18, with these versions of the gems and couldn't reproduce it:
It prompts me for the username/password.
What OS and gem versions were you using when you created the error?
If the server supports negotiate and basic, httpclient will attempt to use gssapi if available.
To recreate, we have to enable Negotiate auth for the broker.
We need to catch the following types of errors encountered when initializing gssapi and fall back to basic:
- Kerberos doesn't know about the server (gssapi just happens to be installed)
- Kerberos doesn't have any tickets for that server
- Kerberos only has expired tickets for that server
Will merge in https://github.com/openshift/rhc/pull/463
Tested on windows 7 via rhc-1.13.6 & rhc-1.12.4, can not reproduce this issue.
Tried on windows 7 via rhc-1.14.6-build_from_devenv_3776, can not reproduce this issue.
And then try this issue on fedora(rhc-1.13.6 & rhc-1.14.6-build_from_devenv_3776), still can not reproduced this issue.
So I have to verified this bug, thx.
Also tried on fedora 18 & windows 7 via latest rhc(rhc-1.15.0-build_from_devenv_3781), still can not reproduce.
1. Enable Negotiate authentication and basic authentication for the broker
2. Install the gssapi gem on the rhc client machine