From owner-freebsd-stable@FreeBSD.ORG  Thu Sep  2 13:52:29 2010
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6B64E10656EC
	for <freebsd-stable@freebsd.org>; Thu,  2 Sep 2010 13:52:29 +0000 (UTC)
	(envelope-from me@janh.de)
Received: from mailhost.uni-hamburg.de (mailhost.uni-hamburg.de
	[134.100.32.155])
	by mx1.freebsd.org (Postfix) with ESMTP id ED6E68FC1C
	for <freebsd-stable@freebsd.org>; Thu,  2 Sep 2010 13:52:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mailhost.uni-hamburg.de (Postfix) with ESMTP id E343A90143;
	Thu,  2 Sep 2010 15:52:27 +0200 (CEST)
X-Virus-Scanned: by University of Hamburg (RRZ/mailhost)
Received: from mailhost.uni-hamburg.de ([127.0.0.1])
	by localhost (mailhost.uni-hamburg.de [127.0.0.1]) (amavisd-new,
	port 10024)
	with LMTP id u7h40xXSWjkG; Thu,  2 Sep 2010 15:52:27 +0200 (CEST)
Received: from nb895.math (g224012120.adsl.alicedsl.de [92.224.12.120])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	(Authenticated sender: fmjv004)
	by mailhost.uni-hamburg.de (Postfix) with ESMTPSA id 829C890016;
	Thu,  2 Sep 2010 15:52:27 +0200 (CEST)
Message-ID: <4C7FAC14.3040507@janh.de>
Date: Thu, 02 Sep 2010 15:52:20 +0200
From: Jan Henrik Sylvester <me@janh.de>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.9.1.11) Gecko/20100821 Thunderbird/3.0.6
MIME-Version: 1.0
To: Jeremy Chadwick <freebsd@jdc.parodius.com>
References: <4C7E803F.1090606@janh.de> <20100902115047.GA37856@icarus.home.lan>
In-Reply-To: <20100902115047.GA37856@icarus.home.lan>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: stable-list freebsd <freebsd-stable@freebsd.org>
Subject: Re: GSSAPI (for OpenLDAP) on FreeBSD 8?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2010 13:52:29 -0000

On 09/02/2010 13:50, Jeremy Chadwick wrote:
> On Wed, Sep 01, 2010 at 06:33:03PM +0200, Jan Henrik Sylvester wrote:
>> I have got problems with GSSAPI authentication to OpenLDAP:
>> ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
>> error (80)
>>          additional info: SASL(-1): generic failure: GSSAPI Error:
>> No credentials were supplied, or the credentials were unavailable or
>> inaccessible. (unknown mech-code 0 for mech unknown)
>>
>> There were at least two discussions, multiple bug reports, and
>> patches about broken GSSAPI on FreeBSD 8, the longest (I found)
>> starting here: http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057734.html
>>
>> After reading through these discussions, I do not know what the
>> proper fix is -- I would like to change as little as possible
>> introducing SASL authentication to a (production) OpenLDAP server.
>>
>> I have got: An i386 kerberos server, a ldap server in a jail on
>> i386, some amd64 clients -- all running 8.1-RELEASE. Eventually
>> there need to be some Debian/Ubuntu clients using GSSAPI/SASL, too.
>>
>> What do I need to "fix"? Just the ldap server? Is it enough to
>> change the jail or does the host needs to be patches, too? Or do I
>> need to fix the client, too? The kerberos server?
>>
>>  From the discussion, multiple fixes were possible. Patching
>> libgssapi and reinstalling everything depending on it (what?),
>> installing the heimdal-1.0 port (while FreeBSD 8 comes with
>> heimdal-1.1), installing an unofficial heimdal-1.2 port, ...
>>
>> Is that correct? Anything new after the discussion in July?
>>
>>  From the discussion, some patches should already be in 8-STABLE, but
>> I could not find the revision (after 8.1-RELEASE).
>>
>> If I upgraded the ldap jail to 8-STABLE, I guess the host needs to
>> be updated, too. Hence I would prefer to just change ports or update
>> single libraries.
>>
>> Does anyone have OpenLDAP+GSSAPI running on FreeBSD 8? With the
>> libgssapi patch? With the heimdal-1.2 port?
>
> Can you please try the patch I proposed and see if it improves your
> situation?  Thanks.
>
> http://lists.freebsd.org/pipermail/freebsd-stable/2010-July/057830.html

I had already tried the gss_release_buffer patch. It fixes that crash 
doing the GSSAPI operation from i386 and brings i386 in par with amd64 
-- to the error message I mentioned above.

I have also tried the change to /usr/bin/krb5-config before building 
OpenLDAP -- with no effect, either.

I have not tried the "big" libgssapi patch from kern/147454 as I was 
hoping to do a smaller change.

Cheers,
Jan Henrik