[SPF:fail] Re: [PATCH] SASL problems with spnego on 8.0-BETA4

George Mamalakis mamalos at eng.auth.gr
Thu Feb 25 11:43:04 UTC 2010 

On 23/02/2010 14:18, Alexander Nedotsukov wrote:
> The patch in question was committed a few month ago. I can only add that on my 8-STABLE machine the combination of cyrus/gssapi/openldap works fine.
> You have to check if output of  ldd /usr/lib/libgssapi_krb5.so produce output like this:
>
> /usr/lib/libgssapi_krb5.so:
> 	libgssapi.so.10 =>  /usr/lib/libgssapi.so.10 (0x281ac000)
> 	libkrb5.so.10 =>  /usr/lib/libkrb5.so.10 (0x28300000)
> 	libhx509.so.10 =>  /usr/lib/libhx509.so.10 (0x281b5000)
> 	libcrypto.so.6 =>  /lib/libcrypto.so.6 (0x2835b000)
> 	libroken.so.10 =>  /usr/lib/libroken.so.10 (0x281e9000)
> 	libasn1.so.10 =>  /usr/lib/libasn1.so.10 (0x284ae000)
> 	libcom_err.so.5 =>  /usr/lib/libcom_err.so.5 (0x281f8000)
> 	libcrypt.so.5 =>  /lib/libcrypt.so.5 (0x28527000)
> 	libc.so.7 =>  /lib/libc.so.7 (0x2808e000)
>
>
> On 23.02.2010, at 2:06, George Mamalakis wrote:
>
>    
>> On 07/10/2009 07:38, John Marshall wrote:
>>      
>>> access with gssapi auth from a client succeeded.
>>>
>>> Perhaps George Mamalakis could test the _spnego case?
>>>        
>> Guys,
>>
>> I am terribly sorry to tell you that I just now saw this conversation(!?!! 4 months later !!!). This is due to the fact that at that time I was mainly tracking the fbsd-stable list (my first email started in fbsd-stable list), and since I use filters in thunderbird, I never got to see your emails in my inbox...truly sorry once more!!!
>>
>> I don't know if Alexander's patch is still valid but from what I realize -since I have built many systems based on fbsd-stable (with latest sources) and I had to "hack" krb5-config in order to achieve correct behavior of cyrus/gssapi/spnego/openldap- it hasn't yet been commited to fbsd8-stable sources.  If so, I will apply it on my machines and rerun my applications.
>>
>> Sorry again for the delay!
>>
>> -- 
>> George Mamalakis
>>
>> IT Officer
>> Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
>> MSc (Imperial College of London)
>>
>> Department of Electrical and Computer Engineering
>> Faculty of Engineering
>> Aristotle University of Thessaloniki
>>
>> phone number : +30 (2310) 994379
>>      
>    
Alexander,

using sources of 19/02/2010, I recompiled cyrus with the original 
/usr/bin/krb5-config, and ldapwhoami worked fine. The output of ldd 
/usr/lib/libgssapi_krb5.so is the one to be expected, so things must be ok.

The only problem I still have, and which has to do with 
freebsd/heimdal/openldap/cyrus bundle, is that openldap-sasl-client 
(i386) segfaults when using ldapwhoami if run without having obtained a 
ticket first.

I have sent an email to fbsd-stable list with subject:  "openldap client 
GSSAPI authentication segfaults in fbsd8stable i386" regarding this 
issue, where I list all my tests on all different machines, and a stack 
trace of the system where ldapwhoami segfaults. I have received no 
answer for this topic yet, but I think that if some of you reads it, he 
may find an answer. At the time of this writing, on fbsd8stable systems 
(i386) with heimdal/openldap-sasl-client/cyrus-sasl, ldapwhoami and 
ldapsearch segfault when called without a ticket.

Thank you for your answer, and I am looking forward to see some feedback 
on this issue.

Best regards,

George Mamalakis

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379

More information about the freebsd-current mailing list