openldap client GSSAPI authentication segfaults in
fbsd8stablei386
Joerg Pulz
Joerg.Pulz at frm2.tum.de
Sat Jul 17 06:56:12 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 16 Jul 2010, Jeremy Chadwick wrote:
> On Fri, Jul 16, 2010 at 03:58:04PM +0300, Reko Turja wrote:
>>> I think we need the OP of the PR[1], Mikhail T., to chime in here
>>> with his
>>> setup.
>>
>> While waiting, can you test the following: In the
>> /usr/local/etc/imapd.conf file comment out
>>
>> #sasl_pwcheck_method: saslauthd
>>
>> and add below it:
>>
>> sasl_mech_list: gssapi pam plain
>
> Thanks -- I did so + restarted imapd, and now we have:
>
> testbox# cyradm localhost
> Login disabled.
> cyradm: cannot authenticate to server with as root
>
> Jul 16 06:46:02 testbox master[11087]: about to exec /usr/local/cyrus/bin/imapd
> Jul 16 06:46:02 testbox imap[11087]: executed
> Jul 16 06:46:02 testbox imap[11087]: accepted connection
> Jul 16 06:46:02 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
> Jul 16 06:46:02 testbox kernel: Jul 16 06:46:02 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
> Jul 16 06:46:02 testbox perl: No worthy mechs found
> Jul 16 06:46:02 testbox kernel: Jul 16 06:46:02 testbox perl: No worthy mechs found
Jeremy,
i followed this thread so far and searched a little bit about the issue.
I also tested on my machines and came to an interesting point.
First my setup is pretty straight forward.
Set HEIMDAL_HOME=/usr .
Build security/cyrus-sasl2 (OPTIONS don't matter i think).
Build net/openldap24-sasl-client (select SASL OPTION)
If you don't have any accessible LDAP server on your net (OpenLDAP or
Windows AD doesn't matter) you have to build and just start one for
yourself.
Afterwards just try the following command:
ldapsearch -Ygssapi -h <LDAP server hostname>
Now the interesting point.
On my amd64 system i get this after executing the above command:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
While on my i386 system i get this:
SASL/GSSAPI authentication started
Segmentation fault (core dumped)
A quick look at the gdb bt of the core file looks like this:
#0 0x28310ef5 in free () from /lib/libc.so.7
#1 0x283fc972 in gss_release_buffer () from /usr/lib/libgssapi.so.10
#2 0x283fc37e in gss_release_name () from /usr/lib/libgssapi.so.10
#3 0x283f8da9 in gss_init_sec_context () from /usr/lib/libgssapi.so.10
#4 0x283f1a0b in gssapi_client_mech_step ()
from /usr/local/lib/sasl2/libgssapiv2.so.2
#5 0x280ed4f4 in sasl_client_step () from /usr/local/lib/libsasl2.so.2
So i think i've hit the same bug all others are experiencing.
It looks like it is a i386 speciality but it can also be pure luck an
amd64.
I found at least one other report on the net which looks very similar to
what i see. i386 == Segmentation fault, amd64 == Error message.
Jeremy, is your test system running on amd64 or i386?
Kind regards
Joerg
- --
The beginning is the most important part of the work.
-Plato
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (FreeBSD)
iD8DBQFMQVP9SPOsGF+KA+MRAn3OAJ4r5fqAoOjpMWBvEdHKAE9h8cROFgCfU/DI
Hm8AsO4vdgGCdWUgdJ6mRTs=
=nTdu
-----END PGP SIGNATURE-----
More information about the freebsd-stable
mailing list