openldap client GSSAPI authentication segfaults in fbsd8stable
i386
George Mamalakis
mamalos at eng.auth.gr
Thu Feb 25 14:12:55 UTC 2010
To sum things up.
By fixing my /etc/hosts to read as it should (this needs some work too,
the behavior with the 'wrong' /etc/hosts is unexpected), ldapwhoami
works fine IF (AND ONLY IF) someone kinits to a user principal;
otherwise it segfaults. My default binding method is GSSAPI, hence the
segfault. If I use simple bind (ldapwhoami -W -D 'blabla') it works
fine. If I LD_PRELOAD the "hacked" library lala.so, which is created
like this:
lala.c:
int gss_release_buffer(void *a, void *b) {
return 0;
}
# gcc -c -fPIC -shared lala.c -o lala.so
and if I haven't obtained any kerberos tickets, then
# ldapwhoami
SASL/GSSAPI authentication started
Segmentation fault: 11 (core dumped)
once I ldpreload the above fake-library, then:
# LD_PRELOAD=./lala.so ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
which is what is expected.
This, maybe implies that something is freed by gss_release_buffer that
normally shouldn't.
amd64 won't hang in the same test (so no need to ld_preload anything),
but shares the same problem with i386 when /etc/hosts is not as expected
(to recreate the /etc/hosts problem, place in your /etc/hosts file two
fqdns for the ldap server's IP, but write the ldap server's fqdn second
in turn).
Thank you all and have a nice evening.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
More information about the freebsd-current
mailing list