From owner-freebsd-stable@FreeBSD.ORG Fri Jul 16 12:24:49 2010 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B3C86106566C for ; Fri, 16 Jul 2010 12:24:49 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from qmta14.westchester.pa.mail.comcast.net (qmta14.westchester.pa.mail.comcast.net [76.96.59.212]) by mx1.freebsd.org (Postfix) with ESMTP id 5C9F78FC17 for ; Fri, 16 Jul 2010 12:24:48 +0000 (UTC) Received: from omta08.westchester.pa.mail.comcast.net ([76.96.62.12]) by qmta14.westchester.pa.mail.comcast.net with comcast id ib4T1e0060Fqzac5EcQp9z; Fri, 16 Jul 2010 12:24:49 +0000 Received: from koitsu.dyndns.org ([98.248.41.155]) by omta08.westchester.pa.mail.comcast.net with comcast id icQn1e0043LrwQ23UcQocs; Fri, 16 Jul 2010 12:24:49 +0000 Received: by icarus.home.lan (Postfix, from userid 1000) id 8843A9B425; Fri, 16 Jul 2010 05:24:46 -0700 (PDT) Date: Fri, 16 Jul 2010 05:24:46 -0700 From: Jeremy Chadwick To: Reko Turja Message-ID: <20100716122446.GA3241@icarus.home.lan> References: <0228E401B70A4023A6F86A2ADAE59EF9@rivendell> <008D0251AE4F4A2DBAA1369410565B61@rivendell> <20100715162251.GA73929@icarus.home.lan> <20100716083617.GA97981@icarus.home.lan> <3FE6787E5CAC4C108C031CA6C8044FE4@rivendell> <20100716092512.GA99365@icarus.home.lan> <20100716110427.GA1939@icarus.home.lan> <20100716111000.GA2501@icarus.home.lan> <7AD0E8F6044245DEA6C218A28F08FB99@rivendell> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7AD0E8F6044245DEA6C218A28F08FB99@rivendell> User-Agent: Mutt/1.5.20 (2009-06-14) Cc: "Mikhail T." , freebsd-stable@freebsd.org, Henrik /KaarPoSoft Subject: Re: openldap client GSSAPI authentication segfaults in fbsd8stablei386 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2010 12:24:49 -0000 On Fri, Jul 16, 2010 at 02:33:17PM +0300, Reko Turja wrote: > You can move the surplus mechs (libopie*, libntlm*) from > /usr/local/lib/sasl2 to for example /usr/local/lib/sasl2/disabled To deal with this in a more clean manner, I rebuilt security/cyrus-sasl23 with the following OPTIONS unchecked: OTP NTLM > check that you have the following in /etc/rc.conf and restart > saslauthd afterwards > > saslauthd_enable="YES" > saslauthd_flags="-a pam" saslauthd isn't in use/installed on this system: testbox# pkg_info cyrus-imapd-2.3.16_1 The cyrus mail server, supporting POP3 and IMAP4 protocols cyrus-sasl-2.1.23 RFC 2222 SASL (Simple Authentication and Security Layer) db41-4.1.25_4 The Berkeley DB package, revision 4.1 libtool-2.2.6b Generic shared library support script perl-5.10.1_1 Practical Extraction and Report Language portaudit-0.5.15 Checks installed ports against a list of security vulnerabi rsync-3.0.7 A network file distribution/synchronization utility vim-lite-7.2.411 Vi "workalike", with many additional features (Lite package Same situation: testbox# cyradm localhost Password: Login disabled. cyradm: cannot authenticate to server with as root all.log: Jul 16 05:13:19 testbox master[10873]: about to exec /usr/local/cyrus/bin/imapd Jul 16 05:13:19 testbox imap[10873]: executed Jul 16 05:13:19 testbox imap[10873]: accepted connection Jul 16 05:13:19 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown) Jul 16 05:13:19 testbox kernel: Jul 16 05:13:19 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown) Jul 16 05:13:19 testbox perl: DIGEST-MD5 client step 2 Jul 16 05:13:20 testbox imap[10873]: badlogin: localhost [127.0.0.1] DIGEST-MD5 [SASL(-17): One time use of a plaintext password will enable requested mechanism for user: no secret in database] Jul 16 05:13:23 testbox perl: No worthy mechs found Jul 16 05:13:23 testbox kernel: Jul 16 05:13:23 testbox perl: No worthy mechs found It looks like authentication isn't working, probably because I haven't added any users into the SASL authentication DB. I believe saslauthd can also solve this (allowing use of things like /etc/master.passwd for authentication, as well as other frameworks), but it doesn't look like it's required. When I did "make install" for security/cyrus-sasl23, I saw this message near the end: You can use sasldb2 for authentication, to add users use: saslpasswd2 -c username So I tried doing exactly that: testbox# saslpasswd2 -c root Password: Again (for verification): testbox# Now let's try cyradm again. Note that at this point I *have not* entered a password below: testbox# cyradm localhost Password: I immediately see this in syslog: Jul 16 05:19:47 testbox imap[10881]: accepted connection Jul 16 05:19:47 testbox perl: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown) Jul 16 05:19:47 testbox perl: DIGEST-MD5 client step 2 Now if I enter the correct password, I get a new prompt: localhost> And syslog then shows: Jul 16 05:21:06 testbox imap[10881]: IOERROR: opening /var/imap/user_deny.db: No such file or directory Jul 16 05:21:06 testbox perl: DIGEST-MD5 client step 3 Jul 16 05:21:06 testbox imap[10881]: login: localhost [127.0.0.1] root DIGEST-MD5 User logged in Jul 16 05:21:06 testbox imap[10881]: IOERROR: opening /var/imap/user_deny.db: No such file or directory So it looks like SASL-wise things are functioning correctly, but GSSAPI isn't in use (you can see from the error it spits out above). I think we need the OP of the PR[1], Mikhail T., to chime in here with his setup. [1]: http://lists.freebsd.org/pipermail/freebsd-bugs/2010-March/038956.html -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |