From owner-freebsd-current@FreeBSD.ORG  Tue May  8 02:00:55 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 809C416A406
	for <freebsd-current@freebsd.org>; Tue,  8 May 2007 02:00:55 +0000 (UTC)
	(envelope-from tmclaugh@sdf.lonestar.org)
Received: from straycat.dhs.org (c-24-63-86-11.hsd1.ma.comcast.net
	[24.63.86.11]) by mx1.freebsd.org (Postfix) with ESMTP id 850DF13C487
	for <freebsd-current@freebsd.org>; Tue,  8 May 2007 02:00:54 +0000 (UTC)
	(envelope-from tmclaugh@sdf.lonestar.org)
Received: from [192.168.1.127] (bofh.straycat.dhs.org [192.168.1.127])
	by straycat.dhs.org (8.13.8/8.13.8) with ESMTP id l481PFUU017176
	for <freebsd-current@freebsd.org>; Mon, 7 May 2007 21:25:16 -0400 (EDT)
From: Tom McLaughlin <tmclaugh@sdf.lonestar.org>
To: freebsd-current@freebsd.org
Content-Type: text/plain
Date: Mon, 07 May 2007 21:25:15 -0400
Message-Id: <1178587515.1881.50.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.10.1 FreeBSD GNOME Team Port 
Content-Transfer-Encoding: 7bit
Subject: libgssapi causing login failures
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2007 02:00:55 -0000

Hi all,

Since it's ports freeze time I decided to play elsewhere.  I'm putting
up a -CURRENT box here at home synced as of this morning and trying to
get cyrus-sasl2's GSSAPI stuff working with openldap-sasl-client and
nss_ldap and GSSAPI working for authentication with sshd.  It all
already works fine on the -STABLE box here.  After installing
cyrus-sasl2 and openldap-sasl-client I would get a core dump when trying
to bind to the ldap directory using SASL/GSSAPI for authentication.
(Crash info is below.)  I found that about a year and a half ago dfr@
made changes to our libgssapi.  For the heck of it I relinked sasl's
libgssapiv2.so.2 from libgssapi.so.8 to libgssapi_krb5.so.8 and I could
bind to the directory using SASL/GSSAPI for authentication.  nss_ldap
started working too.  I have a pretty good feeling what I did isn't the
right fix though.

Now I want to use GSSAPI to login via ssh.  I'm using the same config as
I do on my -STABLE box but again I can't login and I see the following
in /var/log/messages each time I attempt to connect:

May  7 14:33:34 releng-7 kernel: pid 84442 (sshd), uid 0: exited on signal 11


Is there something I'm missing setup wise on -CURRENT that's different
from -STABLE wrt libgssapi?  Do we need to start checking and fixing
ports on -CURRENT which use libgssapi?  Any help would be greatly
appreciated.  Thanks.

tom


ldapwhoami crash info:
---
[root@releng-7 /root]# ldapwhoami 
SASL/GSSAPI authentication started
Segmentation fault (core dumped)

/var/log/messages:
May  7 11:39:08 releng-7 kernel: pid 949 (ldapwhoami), uid 0: exited on signal 11 (core dumped)

backtrace: 
---
#0  _gss_oid_equal (oid1=0x28459084, oid2=0x0)
    at /usr/src/lib/libgssapi/gss_utils.c:39
39              if (oid1->length != oid2->length)
---
 
#0  _gss_oid_equal (oid1=0x28459084, oid2=0x0)
    at /usr/src/lib/libgssapi/gss_utils.c:39
No locals.
#1  0x2838a481 in _gss_find_mech_switch (mech=0x0)
    at /usr/src/lib/libgssapi/gss_mech_switch.c:297
        m = (struct _gss_mech_switch *) 0x28459080
#2  0x283892bc in gss_init_sec_context (minor_status=0xbfbfe828, 
    initiator_cred_handle=0x0, context_handle=0x2843d244, 
    target_name=0x28458240, mech_type=0x0, req_flags=58, time_req=0, 
    input_chan_bindings=0x0, input_token=0x0, actual_mech_type=0x0, 
    output_token=0xbfbfe830, ret_flags=0xbfbfe80c, time_rec=0x0)
    at /usr/src/lib/libgssapi/gss_init_sec_context.c:78
        major_status = 0
        m = (struct _gss_mech_switch *) 0xbfbfe818
        mn = (struct _gss_mechanism_name *) 0xbfbfe828
        ctx = (struct _gss_context *) 0x28419288
        mc = (struct _gss_mechanism_cred *) 0x0
        cred_handle = 0x283887a4
        allocated_ctx = -1077942328
#3  0x283823c0 in gssapi_client_mech_step (conn_context=0x2843d240, 
    params=0x28436080, serverin=0x0, serverinlen=0, prompt_need=0xbfbfe9fc, 
    clientout=0xbfbfe9f4, clientoutlen=0xbfbfe9f8, oparams=0x2845b860)
    at gssapi.c:1418
        text = (context_t *) 0x2843d240
        input_token = 0x0
        output_token = 0xbfbfe830
        real_input_token = {length = 0, value = 0x0}
        real_output_token = {length = 672017564, value = 0x0}
        maj_stat = 0
        min_stat = 0
        max_input = 3217025092
        name_token = {length = 31, value = 0x0}
        ret = 108
        req_flags = 58
        out_req_flags = 0
#4  0x280d216e in sasl_client_step (conn=0x2845b000, serverin=0x0, 
    serverinlen=0, prompt_need=0xbfbfe9fc, clientout=0xbfbfe9f4, 
    clientoutlen=0xbfbfe9f8) at client.c:655
        c_conn = (sasl_client_conn_t *) 0x2845b000
        result = 671617024
#5  0x280d1f9b in sasl_client_start (conn=0x2845b000, 
    mechlist=0x2841a440 "PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS", 
    prompt_need=0xbfbfe9fc, clientout=0xbfbfe9f4, clientoutlen=0xbfbfe9f8, 
    mech=0xbfbfea18) at client.c:603
        c_conn = (sasl_client_conn_t *) 0x2845b000
        name = "&#65533;&#65533;&#65533;&#65533;P(3((&#65533;&#65533;&#65533;p\2021(P(3(&#65533;"
        m = (cmechanism_t *) 0x0
        bestm = (cmechanism_t *) 0x0
        pos = 0
        place = 1
        list_len = 671586020
        bestssf = 0
        minssf = 0
        result = 674333244
#6  0x28091844 in ldap_int_sasl_bind (ld=0x28421180, dn=0x0, 
    mechs=0x2841a440 "PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS", 
    sctrls=0x0, cctrls=0x0, flags=0, interact=0x804c294 <_init+12836>, 
    defaults=0x28418140) at cyrus.c:689
        data = 0x2841a440 "PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS"
        mech = 0x283846cb "GSSAPI"
        pmech = 0x283846cb "GSSAPI"
        saslrc = 2
        rc = 0
        ssf = (sasl_ssf_t *) 0x0
        ctx = (sasl_conn_t *) 0x2845b000
        oldctx = (sasl_conn_t *) 0x0
        prompts = (sasl_interact_t *) 0x0
        credlen = 0
        ccred = {bv_len = 0, bv_val = 0x0}
        sd = 3
        ssl = (void *) 0x28440260
#7  0x28094af6 in ldap_sasl_interactive_bind_s (ld=0x28421180, dn=0x0, 
    mechs=0x2841a440 "PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS", 
    serverControls=0x0, clientControls=0x0, flags=0, 
    interact=0x804c294 <_init+12836>, defaults=0x28418140) at sasl.c:479
        rc = 0
        smechs = 0x2841a440 "PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 ANONYMOUS" 


-- 
| tmclaugh at sdf.lonestar.org             tmclaugh at FreeBSD.org |
| FreeBSD                                   http://www.FreeBSD.org |
| BSD#                    http://www.mono-project.com/Mono:FreeBSD |