Date: Sun, 18 Jul 2010 16:52:21 +0300 From: "Reko Turja" <reko.turja@liukuma.net> To: "Benjamin Lee" <ben@b1c1l1.com> Cc: "Mikhail T." <mi+thun@aldan.algebra.com>, Jeremy Chadwick <freebsd@jdc.parodius.com>, freebsd-stable@freebsd.org, Joerg Pulz <Joerg.Pulz@frm2.tum.de>, Henrik /KaarPoSoft <henrik@kaarposoft.dk> Subject: Re: openldap client GSSAPI authentication segfaults in fbsd8stablei386 Message-ID: <C02937BFFC334B91B645D6EB6287B4FF@rivendell> In-Reply-To: <4C41F34E.2030309@b1c1l1.com> References: <EF24D143F0AF49AD9B27F838AFA0A6F4@rivendell> <20100716110427.GA1939@icarus.home.lan> <20100716111000.GA2501@icarus.home.lan> <7AD0E8F6044245DEA6C218A28F08FB99@rivendell> <20100716122446.GA3241@icarus.home.lan> <B06E2DF2032C480AA3094E2F561911AF@rivendell> <20100716135102.GA5625@icarus.home.lan> <alpine.BSF.2.00.1007170834400.32465@unqrf.nqzva.sez2> <20100717134149.GA40907@icarus.home.lan> <677C8B72CF414265A0819E4824212BB5@rivendell> <20100717144120.GA42230@icarus.home.lan> <4C41F34E.2030309@b1c1l1.com>
next in thread | previous in thread | raw e-mail | index | archive | help
After manually changing the gssapi header used in=20 /usr/src/include/rpc/rpcsec_gss.h to somewhat klunky "#include=20 "/usr/src/crypto/heimdal/lib/gssapi/gssapi/gssapi.h"" system csupped=20 yesterday built okay and after rebuilding cyrus-sasl, saslauthd and=20 cyrus I get the following failures in log: Jul 18 16:37:35 moria perl: GSSAPI Error: Miscellaneous failure (see=20 text)^B (open(/tmp/krb5cc_0): No such file or directory) -This is expected behaviour as Kerberos was not running at the moment,=20 but with Benjamin's patch Kerberos/GSSAPI spat out a meaningful error=20 message After dusting off my old Kerberos setup, doing basic kinit and running=20 cyradm localhost I got: Jul 18 16:39:00 moria perl: GSSAPI Error: Miscellaneous failure (see=20 text) (Server (imap/localhost@XXX.DOMAIN.COM) unknown) -Again expected as there is no imap trust relationship defined. So at least after cursory testing it looks like that with Benjamin's=20 patch there is a working GSSAPI/Kerberos backend available, instead of=20 something that chokes on passed parameters that are ok for every other=20 tested gssapi implementation. Of course, more thorough testing in proper kerberised/LDAP environment=20 needs to be done, which is something I haven't got time at the moment. -Reko=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C02937BFFC334B91B645D6EB6287B4FF>