openldap client GSSAPI authentication segfaults in
fbsd8stablei386
Jeremy Chadwick
freebsd at jdc.parodius.com
Fri Jul 16 12:24:49 UTC 2010
On Fri, Jul 16, 2010 at 02:33:17PM +0300, Reko Turja wrote:
> You can move the surplus mechs (libopie*, libntlm*) from
> /usr/local/lib/sasl2 to for example /usr/local/lib/sasl2/disabled
To deal with this in a more clean manner, I rebuilt
security/cyrus-sasl23 with the following OPTIONS unchecked:
OTP
NTLM
> check that you have the following in /etc/rc.conf and restart
> saslauthd afterwards
>
> saslauthd_enable="YES"
> saslauthd_flags="-a pam"
saslauthd isn't in use/installed on this system:
testbox# pkg_info
cyrus-imapd-2.3.16_1 The cyrus mail server, supporting POP3 and IMAP4 protocols
cyrus-sasl-2.1.23 RFC 2222 SASL (Simple Authentication and Security Layer)
db41-4.1.25_4 The Berkeley DB package, revision 4.1
libtool-2.2.6b Generic shared library support script
perl-5.10.1_1 Practical Extraction and Report Language
portaudit-0.5.15 Checks installed ports against a list of security vulnerabi
rsync-3.0.7 A network file distribution/synchronization utility
vim-lite-7.2.411 Vi "workalike", with many additional features (Lite package
Same situation:
testbox# cyradm localhost
Password:
Login disabled.
cyradm: cannot authenticate to server with as root
all.log:
Jul 16 05:13:19 testbox master[10873]: about to exec /usr/local/cyrus/bin/imapd
Jul 16 05:13:19 testbox imap[10873]: executed
Jul 16 05:13:19 testbox imap[10873]: accepted connection
Jul 16 05:13:19 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
Jul 16 05:13:19 testbox kernel: Jul 16 05:13:19 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
Jul 16 05:13:19 testbox perl: DIGEST-MD5 client step 2
Jul 16 05:13:20 testbox imap[10873]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-17): One time use of a plaintext password will enable requested mechanism for user: no secret in database]
Jul 16 05:13:23 testbox perl: No worthy mechs found
Jul 16 05:13:23 testbox kernel: Jul 16 05:13:23 testbox perl: No worthy mechs found
It looks like authentication isn't working, probably because I haven't
added any users into the SASL authentication DB. I believe saslauthd
can also solve this (allowing use of things like /etc/master.passwd
for authentication, as well as other frameworks), but it doesn't look
like it's required.
When I did "make install" for security/cyrus-sasl23, I saw this
message near the end:
You can use sasldb2 for authentication, to add users use:
saslpasswd2 -c username
So I tried doing exactly that:
testbox# saslpasswd2 -c root
Password:
Again (for verification):
testbox#
Now let's try cyradm again. Note that at this point I *have not*
entered a password below:
testbox# cyradm localhost
Password:
I immediately see this in syslog:
Jul 16 05:19:47 testbox imap[10881]: accepted connection
Jul 16 05:19:47 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
Jul 16 05:19:47 testbox perl: DIGEST-MD5 client step 2
Now if I enter the correct password, I get a new prompt:
localhost>
And syslog then shows:
Jul 16 05:21:06 testbox imap[10881]: IOERROR: opening /var/imap/user_deny.db: No such file or directory
Jul 16 05:21:06 testbox perl: DIGEST-MD5 client step 3
Jul 16 05:21:06 testbox imap[10881]: login: localhost [127.0.0.1] root DIGEST-MD5 User logged in
Jul 16 05:21:06 testbox imap[10881]: IOERROR: opening /var/imap/user_deny.db: No such file or directory
So it looks like SASL-wise things are functioning correctly, but GSSAPI
isn't in use (you can see from the error it spits out above).
I think we need the OP of the PR[1], Mikhail T., to chime in here with his
setup.
[1]: http://lists.freebsd.org/pipermail/freebsd-bugs/2010-March/038956.html
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable
mailing list