From owner-freebsd-current@FreeBSD.ORG  Thu Feb 26 13:41:37 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4618B106566B;
	Thu, 26 Feb 2009 13:41:37 +0000 (UTC)
	(envelope-from tmclaugh@sdf.lonestar.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 3035C8FC15;
	Thu, 26 Feb 2009 13:41:37 +0000 (UTC)
	(envelope-from tmclaugh@sdf.lonestar.org)
Received: from straycat.dhs.org (root@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1QDfaK8069644;
	Thu, 26 Feb 2009 13:41:36 GMT
	(envelope-from tmclaugh@sdf.lonestar.org)
Received: from tomcat.straycat.dhs.org (tomcat.straycat.dhs.org
	[192.168.3.130])
	by straycat.dhs.org (8.14.1/8.14.1) with ESMTP id n1QDd5dl021347;
	Thu, 26 Feb 2009 08:39:05 -0500 (EST)
Message-ID: <49A69B74.1080201@sdf.lonestar.org>
Date: Thu, 26 Feb 2009 08:39:00 -0500
From: Tom McLaughlin <tmclaugh@sdf.lonestar.org>
User-Agent: Thunderbird 2.0.0.19 (X11/20090105)
MIME-Version: 1.0
To: Harti Brandt <harti@freebsd.org>
References: <E2F5A6372272F744859F67CB11ABC1110507D4@exbe05.intra.dlr.de>
	<alpine.BSF.1.10.0901231858510.1173@knopdnsimu13l.kn.op.dlr.de>
In-Reply-To: <alpine.BSF.1.10.0901231858510.1173@knopdnsimu13l.kn.op.dlr.de>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: current@freebsd.org
Subject: Re: problem with nss_ldap
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Feb 2009 13:41:37 -0000

Harti Brandt wrote:
> On Sun, 18 Jan 2009, Hartmut.Brandt@dlr.de wrote:
> 
>> Hi,
>>
>> for a year or so I had nss_ldap connected to an active directory (with openldap23-sasl-client) on a year-old current. Yesterday I've rebuilt everything and I started to get 'undefined symbols' (for example gss_equal_oid) when running any program needing pw or group entries. After some poking around I fixed these by adding -lgssapi to the Makefiles for libgssapi_krb5.so and libgssap_spnego.so. Now getent, local login and everything works fine, except cron and sshd.

Hi Harti, I'm setting up a -CURRENT vm right now with nss_ldap and have 
an LDAP server which requires SASL.  I use a global krb5 credentials 
cache for nss_ldap as it appears you do.  Last time I did this was right 
around the time the latest heimdal was imported.  My setup worked before 
the import and broke afterwards.  As I recall from talking to dfr@ (?) 
libgssapi_{krb5,spnego} are just plugins for libgssapi.  They should not 
need to be linked against libgssapi and other things should not link 
against them.  I would like to see this fixed as libgssapi is intended 
to be used.  I just want to know what the proper fix is.

(Hey, just found the old conversation with dfr@ in my inbox but need to 
read through the whole thing to figure out what's up.)

>>
>> Both create entries in /var/log/messages like:
>>
>> Jan 18 20:00:02 knopdnsimu13f cron[1495]: GSSAPI Error:  Miscellaneous failure (see text)???????????????ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Z
>  ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
>> Jan 18 20:00:02 knopdnsimu13f kernel: ZZZZZZZZZZZZZZZZ
>>
>> I've tried to figure out in which of the dozens of layered libraries (gss, sasl, ssl, ......) this error is generated but did not find anything.
>>
>> This is on amd64, krb5 enabled in pam, gssapi disabled in sshd_config (as I said, this worked before).
> 
> So to answer my own mail: I made a link from the kerberos ticket file 
> which contains the host ticket (and is specified in nss_ldap.conf) to 
> /tmp/krb5cc_0. I've no idea why this is suddenly necessary, though.

There may be an issue with the env method used in nss_ldap to change the 
credentials cache.  My mind is fuzzy but I do recall a similar issue but 
don't remember the exact cause or case.  nss_ldap has a second 
configurable ccname method which when I submitted the original patch I 
intended to switch to once we had a newer heimdal.  Once I get nss_ldap 
working on my box I intend to submit another patch.

tom
-- 
| tmclaugh at sdf.lonestar.org                 tmclaugh at FreeBSD.org |
| FreeBSD                                       http://www.FreeBSD.org |