#8737 [ipatests] `test_source_ipahealthcheck_ipa_host_check_ipahostkeytab` fails against krb5 1.19.1
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by slev.

=================================== FAILURES ===================================
__ TestIpaHealthCheck.test_source_ipahealthcheck_ipa_host_check_ipahostkeytab __

self = <ipatests.test_integration.test_ipahealthcheck.TestIpaHealthCheck object at 0x7fceb5cf26
a0>
restart_service = <function restart_service.<locals>._stop_service at 0x7fceb57379d0>

    def test_source_ipahealthcheck_ipa_host_check_ipahostkeytab(
        self, restart_service
    ):
        """
        Testcase checks behaviour of check IPAHostKeytab in source
        ipahealthcheck.ipa.host when dirsrv service is stopped and
        running on IPA master
        """
        msg = (
            "Failed to obtain host TGT: Major (851968): "
            "Unspecified GSS failure.  "
            "Minor code may provide more information, "
            "Minor (2529638972): Generic error (see e-text)"
        )
        restart_service(self.master, "dirsrv")
        dirsrv_ipactl_status = 'Directory Service: STOPPED'
        result = self.master.run_command(
            ["ipactl", "status"])
        returncode, data = run_healthcheck(
            self.master,
            "ipahealthcheck.ipa.host",
            "IPAHostKeytab",
        )
        assert returncode == 1
        if dirsrv_ipactl_status in result.stdout_text:
== "ERROR"
== msg
E           AssertionError: assert 'Failed to ob... (see e-text)' == 'Failed to ob... (see e-text)'
E             - Failed to obtain host TGT: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529638972): Generic error (see e-text)
E             + Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638972): Generic error (see e-text)

test_integration/test_ipahealthcheck.py:473: AssertionError
RUN ['ipa-healthcheck', '--source', 'ipahealthcheck.ipa.host', '--check', 'IPAHostKeytab', '--output-type', 'json']
[
  {
    "source": "ipahealthcheck.ipa.host",
    "check": "IPAHostKeytab",
    "result": "ERROR",
    "uuid": "cb4c6b19-37ae-4835-b089-2c32244a5342",
    "when": "20210304053728Z",
    "duration": "0.004428",
    "kw": {
      "msg": "Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638972): Generic error (see e-text)"
    }
  }
]
Exit code: 1

This test attempts to get initial-only credentials for a host principal using a host keytab while directory is OFF and checks the error message.

(gdb) bt
#0  acquire_init_cred (cred=0x1169c40, verify=0x0, client_keytab=0x109ce00, password=0x0, req_ccache=0x12f6bf0, minor_status=0x7fff82dd6b14, context=0x11a51e0) at acquire_cred.c:762
#1  acquire_cred_context (context=0x11a51e0, minor_status=minor_status@entry=0x7fff82dd6b14, desired_name=desired_name@entry=0x11142e0, password=0x0, cred_usage=cred_usage@entry=1, ccache=0x12f6bf0, client_keytab=0x109ce00, keytab=0x0, rcname=0x0, verify=0x0, iakerb=0, output_cred_handle=0x7fff82dd6a18, time_rec=0x7fff82dd6a00, time_req=<optimized out>) at acquire_cred.c:841
#2  0x00007fab59ed5fbb in acquire_cred_from (minor_status=0x7fff82dd6b14, desired_name=0x11142e0, cred_usage=1, cred_store=0x1249ec0, iakerb=0, output_cred_handle=0x7fff82dd6a18, time_rec=0x7fff82dd6a00, actual_mechs=<optimized out>, desired_mechs=<optimized out>, time_req=<optimized out>) at acquire_cred.c:1306
#3  0x00007fab59ec276c in gss_add_cred_from (minor_status=minor_status@entry=0x7fff82dd6b14, input_cred_handle=<optimized out>, desired_name=desired_name@entry=0xfafb80, desired_mech=<optimized out>, cred_usage=cred_usage@entry=1, initiator_time_req=initiator_time_req@entry=4294967295, acceptor_time_req=<optimized out>, cred_store=0x1249ec0, output_cred_handle=0x0, actual_mechs=0x0, initiator_time_rec=0x7fff82dd6b18, acceptor_time_rec=0x7fff82dd6b1c) at g_acquire_cred.c:544
#4  0x00007fab59ec2d57 in gss_acquire_cred_from (minor_status=0x7fff82dd6bf0, desired_name=0xfafb80, time_req=4294967295, desired_mechs=0x0, cred_usage=1, cred_store=0x1249ec0, output_cred_handle=0x7fff82dd6c00, actual_mechs=0x7fff82dd6c08, time_rec=0x7fff82dd6bec) at g_acquire_cred.c:190
...

(gdb) l 762
757
758         *minor_status = 0;
759         return GSS_S_COMPLETE;
760
761     error:
762         *minor_status = code;
763         return GSS_S_NO_CRED;
764     }
765
766     static OM_uint32

Since 1.19.1 MIT kerberos returns GSS_S_NO_CRED instead of GSS_S_CRED_UNAVAIL (GSS_S_CRED_UNAVAIL currently is the same as GSS_S_FAILURE) in acquire_init_cred if no credentials corresponding to the requested name and usage could be accessed:

https://krbdev.mit.edu/rt/Ticket/Display.html?id=8909
https://github.com/krb5/krb5/commit/eb8d2ced232e60613b461b4410f6fff3800467ab

GSS_S_NO_CRED is defined as:

#define GSS_C_ROUTINE_ERROR_OFFSET 16
...
#define GSS_S_NO_CRED (((OM_uint32) 7ul) << GSS_C_ROUTINE_ERROR_OFFSET)
[root@master1 /]# python3 -c "print(7 << 16)"
458752

So, "Failed to obtain host TGT: Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529638972): Generic error (see e-text)" is correct.


Metadata Update from @slev:
- Issue assigned to slev

3 years ago

master:

  • 2c4a160 ipatests: Fix expectation about GSS error in test for healthcheck

ipa-4-9:

  • fbbfce1 ipatests: Fix expectation about GSS error in test for healthcheck

ipa-4-8:

  • 2298302 ipatests: Fix expectation about GSS error in test for healthcheck

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata