openldap client GSSAPI authentication segfaults in fbsd8stable i386

Joerg Pulz Joerg.Pulz at frm2.tum.de
Wed Jul 14 14:15:15 UTC 2010 

On Tue, 13 Jul 2010, Henrik /KaarPoSoft wrote:

> Dear All,
>
> I have a problem: ldapsearch results in "Segmentation fault" under 
> openldap-2.4.23 with cyrus-sasl-2.1.23.
>
> A thread for similar issues was started by George Mamalakis back in february:
> http://lists.freebsd.org/pipermail/freebsd-stable/2010-February/055017.html
> but I find no solution / conclusion from this thread, hence I post here...
>
> I have installed FreeBSD 8.0-RELEASE-p2 on i386, updated with freebsd-update, 
> and ports updated with "portsnap fetch update".
>
> Kerberos installed from packages, configured, and seems to work OK.
>
> It seems that there are no package for openldap server with GSSAPI/SASL, so I 
> have build and installed cyrus-sasl2, openldap24-server (with sasl 
> configured) and openldap24-sasl-client from ports.
>
> Those are the port versions:
> # $FreeBSD: ports/security/cyrus-sasl2/Makefile,v 1.141 2009/08/02 19:35:25 
> mezz Exp $
> # $FreeBSD: ports/net/openldap24-server/Makefile,v 1.181 2010/07/01 19:04:42 
> delphij Exp $
>
> According to the distinfo files, those are the upstream versions:
> openldap-2.4.23
> cyrus-sasl-2.1.23
> which, as far as I can see, are the latest stable.
>
> Trying LDAP I get a segfault:
>
> $ ldapsearch
> SASL/GSSAPI authentication started
> Segmentation fault (core dumped)
>
> Here is the backtrace from gdb:
>
> #0  0x283225c7 in free () from /lib/libc.so.7
> #1  0x28654b42 in gss_release_buffer () from /usr/lib/libgssapi.so.10
> #2  0x28654512 in gss_release_name () from /usr/lib/libgssapi.so.10
> #3  0x28650e69 in gss_init_sec_context () from /usr/lib/libgssapi.so.10
> #4  0x28648a0f in gssapi_client_mech_step () from 
> /usr/local/lib/sasl2/libgssapiv2.so.2
> #5  0x280ef4b1 in sasl_client_step () from /usr/local/lib/libsasl2.so.2
> #6  0x28440200 in ?? ()
> #7  0x00000000 in ?? ()
> #8  0x00000000 in ?? ()
> #9  0xbfbfe208 in ?? ()
> #10 0xbfbfe1f4 in ?? ()
> #11 0xbfbfe204 in ?? ()
> #12 0x28446860 in ?? ()
> #13 0x280ef3fe in sasl_client_step () from /usr/local/lib/libsasl2.so.2
> #14 0xbfbfe148 in ?? ()
> #15 0x280f0135 in sasl_client_start () from /usr/local/lib/libsasl2.so.2
> #16 0x00000000 in ?? ()
> #17 0x00000000 in ?? ()
> #18 0xbfbfe208 in ?? ()
> #19 0xbfbfe1f4 in ?? ()
> #20 0xbfbfe204 in ?? ()
> #21 0x72408f2d in ?? ()
> #22 0x283b1ad8 in ?? () from /lib/libc.so.7
> #23 0x00000000 in ?? ()
> #24 0x283b1730 in __stderrp () from /lib/libc.so.7
> #25 0xbfbfe118 in ?? ()
> #26 0x28392114 in vfprintf () from /lib/libc.so.7
> Previous frame inner to this frame (corrupt stack?)
>
> I tried "valgrind ldapsearch" which produces thousands of issues, ending 
> with:
>
> ==59479== Invalid free() / delete / delete[]
> ==59479==    at 0x59B95: free (in 
> /usr/local/lib/valgrind/vgpreload_memcheck-x86-freebsd.so)
> ==59479==    by 0x911B41: gss_release_buffer (in /usr/lib/libgssapi.so.10)
> ==59479==    by 0x911511: ??? (in /usr/lib/libgssapi.so.10)
> ==59479==    by 0x90DE68: gss_init_sec_context (in /usr/lib/libgssapi.so.10)
> ==59479==    by 0x905A0E: gssapi_client_mech_step (in 
> /usr/local/lib/sasl2/libgssapiv2.so.2)
> ==59479==    by 0xAF4B0: sasl_client_step (in /usr/local/lib/libsasl2.so.2)
> ==59479==    by 0xB0134: sasl_client_start (in /usr/local/lib/libsasl2.so.2)
> ==59479==    by 0x70C46: ldap_int_sasl_bind (in 
> /usr/local/lib/libldap-2.4.so.7)
> ==59479==    by 0x73935: ldap_sasl_interactive_bind_s (in 
> /usr/local/lib/libldap-2.4.so.7)
> ==59479==    by 0x80505E6: ??? (in /usr/local/bin/ldapsearch)
> ==59479==    by 0x804D695: ??? (in /usr/local/bin/ldapsearch)
> ==59479==    by 0x804A7D8: ??? (in /usr/local/bin/ldapsearch)
> ==59479==  Address 0x4e2c0 is not stack'd, malloc'd or (recently) free'd
> ==59479==
> ldap_sasl_interactive_bind_s: Local error (-2)
>   additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous 
> failure (see text) (unknown mech-code 2529638944 for mech unknown)
>
> /var/log/messages has:
> slapd[1146]: OTP unavailable because can't read/write key database 
> /etc/opiekeys: Permission denied
> kernel: pid 53862 (ldapsearch), uid 1001: exited on signal 11 (core dumped)
>
> The first message is from the LDAP server. Even if it has some problem, it 
> should not lead the client to segfault.
>
> Any comments, hints or suggestions would be most appreciated!

Dear Henrik,

just a guess from my side.

You said, that you installed and configured Kerberos from packages (i 
guess from ports or a prebuilt package).
Did you by any chance set HEIMDAL_HOME=/usr before building and installing 
the kerberos port?

Did you set HEIMDAL_HOME to point to the place where the package/port got 
installed (e.g. HEIMDAL_HOME=/usr/local) before building the cyrus-sasl2 
port?

Did you set HEIMDAL_HOME to anything at all? Please take a look at 
${PORTSDIR}/security/cyrus-sasl2/Makefile to see the logic behind the 
kerberos selection.

The valgrind and gdb output above shows that /usr/lib/libgssapi.so.10 is 
used at runtime which comes out of the FreeBSD base system not out of your 
installed kerberos port/package. Maybe there is something messed up that 
kerberos from ports/package was used during build of cyrus-sasl2 but the 
base kerberos libs are used at runtime or vice versa.

In any case, this is just one thing i would double check before deeper 
debugging.

Kind regards
Joerg

-- 
The beginning is the most important part of the work.
 				-Plato

More information about the freebsd-stable mailing list