Actions
Bug #12555
closedOnly first FreeIPA XMLRPC call succeeds Foreman proxy 1.10 and FreeIPA, version: 4.1.4
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
D, [2015-11-20T14:17:00.951816 #10124] DEBUG -- : verifying remote client 1.1.1.1 against trusted_hosts ["cfg01.atl.XXXX.net"] I, [2015-11-20T14:17:01.019800 #10124] INFO -- : freeipa: realm keytab is '/etc/foreman-proxy/freeipa.keytab' and using principal 'XXXX@XXXX.NET' I, [2015-11-20T14:17:01.020059 #10124] INFO -- : freeipa: realm XXXX.NET I, [2015-11-20T14:17:01.020636 #10124] INFO -- : freeipa: server is https://ipa.XXXX.net/ipa/xml I, [2015-11-20T14:17:01.021306 #10124] INFO -- : Requesting credentials for Kerberos principal XXXX@XXXX.NET using keytab /etc/foreman-proxy/freeipa.keytab D, [2015-11-20T14:17:01.059031 #10124] DEBUG -- : Kerberos credential cache initialised with principal: XXXX@XXXX.NET I, [2015-11-20T14:17:02.301035 #10124] INFO -- : Attempting to host_add test2.atl.XXXX.net in FreeIPA D, [2015-11-20T14:17:02.301183 #10124] DEBUG -- : {:setattr=>[], :random=>1, :force=>1} E, [2015-11-20T14:17:02.322459 #10124] ERROR -- : Authorization failed. HTTP-Error: 401 Unauthorized D, [2015-11-20T14:17:02.322550 #10124] DEBUG -- : /usr/lib/ruby/1.9.1/xmlrpc/client.rb:547:in `do_rpc' /usr/lib/ruby/1.9.1/xmlrpc/client.rb:420:in `call2' /usr/lib/ruby/1.9.1/xmlrpc/client.rb:410:in `call' /usr/share/foreman-proxy/modules/realm/freeipa.rb:103:in `create' /usr/share/foreman-proxy/modules/realm/realm_api.rb:28:in `block in <class:Api>' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1541:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1541:in `block in compile!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:950:in `[]' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:950:in `block (3 levels) in route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:966:in `route_eval' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:950:in `block (2 levels) in route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:987:in `block in process_route' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:985:in `catch' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:985:in `process_route' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:948:in `block in route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:947:in `each' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:947:in `route!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1059:in `block in dispatch!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1041:in `block in invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1041:in `catch' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1041:in `invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1056:in `dispatch!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:882:in `block in call!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1041:in `block in invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1041:in `catch' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1041:in `invoke' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:882:in `call!' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:870:in `call' /usr/lib/ruby/vendor_ruby/rack/commonlogger.rb:33:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:212:in `call' /usr/share/foreman-proxy/lib/proxy/log.rb:58:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/xss_header.rb:18:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/path_traversal.rb:16:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/json_csrf.rb:18:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/base.rb:50:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/base.rb:50:in `call' /usr/lib/ruby/vendor_ruby/rack/protection/frame_options.rb:31:in `call' /usr/lib/ruby/vendor_ruby/rack/nulllogger.rb:9:in `call' /usr/lib/ruby/vendor_ruby/rack/head.rb:11:in `call' /usr/lib/ruby/vendor_ruby/sinatra/showexceptions.rb:21:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:175:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1949:in `call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1449:in `block in call' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1726:in `synchronize' /usr/lib/ruby/vendor_ruby/sinatra/base.rb:1449:in `call' /usr/lib/ruby/vendor_ruby/rack/builder.rb:138:in `call' /usr/lib/ruby/vendor_ruby/rack/urlmap.rb:65:in `block in call' /usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `each' /usr/lib/ruby/vendor_ruby/rack/urlmap.rb:50:in `call' /usr/lib/ruby/vendor_ruby/rack/builder.rb:138:in `call' /usr/lib/ruby/vendor_ruby/rack/handler/webrick.rb:60:in `service' /usr/lib/ruby/1.9.1/webrick/httpserver.rb:138:in `service' /usr/lib/ruby/1.9.1/webrick/httpserver.rb:94:in `run' /usr/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread' I, [2015-11-20T14:17:02.323003 #10124] INFO -- : 1.1.1.1 - - [20/Nov/2015 14:17:02] "POST /realm/XXXX.NET HTTP/1.1" 400 50 1.3738 '
Foreman/Foreman Proxy machine is Ubuntu 14, and is joined to the freeIPA realm.
If I mess with freeipa.rb and get a new token each time by doing this prior to each @ipa.call:
gssapi = GSSAPI::Simple.new(@ipa_server.host, "HTTP") token = gssapi.init_context @ipa.http_header_extra={ 'Authorization'=>"Negotiate #{strict_encode64(token)}", 'Referer' => @ipa_server.to_s, 'Content-Type' => 'text/xml; charset=utf-8' }
then all calls work.
The only time this appears to be a problem is when multiple calls to the IPA server are issued. I am not enough of an expert on GSSAPI to know if there is additional negotiation needed after the first call, or if there is session data not being passed.
Actions