i386/151444: Kerberos5 is broken in the base system from 8.1 (i386)

[Martin Schweizer]

>Number:         151444
>Category:       i386
>Synopsis:       Kerberos5 is broken in the base system from 8.1 (i386)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Oct 14 05:30:07 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Martin Schweizer
>Release:        FreeBSD 8.1 Release
>Organization:
PC-Service M. Schweizer GmbH
>Environment:
FreeBSD acsvfbsd04.acutronic.ch 8.1-RELEASE FreeBSD 8.1-RELEASE #2: Wed Oct 13 23:46:17 CEST 2010     martin at acsvfbsd04.acutronic.ch:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
The kerberos5 system in the base is only under FreeBSD 8.1 Release i386 (not under amd64 and also not in earlier releases) broken. kinit it works. Also compile the source without kerberos5 and use heimdal from ports is not a solution because it works also not. There are different threads in the past months about this (gssapi segfault):
- http://docs.freebsd.org/mail/archive/2010/freebsd-stable/20100725.freebsd-stable.html
- http://docs.freebsd.org/mail/archive/2010/freebsd-stable/20100718.freebsd-stable.html

Here are my threads:
- http://docs.freebsd.org/mail/archive/2010/freebsd-stable/20101003.freebsd-stable.html (Kerberos/SASL)

Since I'm not a programmer I can not give you more debug details. I also checked the saslauthd with truss. There I found that kerberos will check each time a directory which is called /usr/lib/plugin/krb5 but isn't existend. I did not found any information what kerberos here is looking for.
>How-To-Repeat:
Cyrus sasl (newest verison) with saslauth -a kerberos5. 
>Fix:
It works with -a pam, but you need a long outstanding patch (http://www.freebsd.org/cgi/query-pr.cgi?pr=76678&cat=)!

>Release-Note:
>Audit-Trail:
>Unformatted: