Subject: Re: problem with nss_ldap

From: Tom McLaughlin · Date: Thursday, February 26, 2009 - 6:39 am

Harti Brandt wrote:
quoted text> On Sun, 18 Jan 2009, Hartmut.Brandt@dlr.de wrote:
> 
>> Hi,
>>
>> for a year or so I had nss_ldap connected to an active directory (with openldap23-sasl-client) on a year-old current. Yesterday I've rebuilt everything and I started to get 'undefined symbols' (for example gss_equal_oid) when running any program needing pw or group entries. After some poking around I fixed these by adding -lgssapi to the Makefiles for libgssapi_krb5.so and libgssap_spnego.so. Now getent, local login and everything works fine, except cron and sshd.

Hi Harti, I'm setting up a -CURRENT vm right now with nss_ldap and have 
an LDAP server which requires SASL.  I use a global krb5 credentials 
cache for nss_ldap as it appears you do.  Last time I did this was right 
around the time the latest heimdal was imported.  My setup worked before 
the import and broke afterwards.  As I recall from talking to dfr@ (?) 
libgssapi_{krb5,spnego} are just plugins for libgssapi.  They should not 
need to be linked against libgssapi and other things should not link 
against them.  I would like to see this fixed as libgssapi is intended 
to be used.  I just want to know what the proper fix is.

(Hey, just found the old conversation with dfr@ in my inbox but need to 
read through the whole thing to figure out what's up.)

quoted text>>
>> Both create entries in /var/log/messages like:
>>
>> Jan 18 20:00:02 knopdnsimu13f cron[1495]: GSSAPI Error:  Miscellaneous failure (see text)???????????????ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Z
quoted text>  ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
>> Jan 18 20:00:02 knopdnsimu13f kernel: ZZZZZZZZZZZZZZZZ
>>
>> I've tried to figure out in which of the dozens of layered libraries (gss, sasl, ssl, ......) this error is generated but did not find anything.
>>
>> This is on amd64, krb5 enabled in pam, gssapi disabled in sshd_config (as I said, this worked before).
> 
> So to answer my own mail: I made a link from the kerberos ticket file 
> which contains the host ticket (and is specified in nss_ldap.conf) to 
> /tmp/krb5cc_0. I've no idea why this is suddenly necessary, though.

There may be an issue with the env method used in nss_ldap to change the 
credentials cache.  My mind is fuzzy but I do recall a similar issue but 
don't remember the exact cause or case.  nss_ldap has a second 
configurable ccname method which when I submitted the original patch I 
intended to switch to once we had a newer heimdal.  Once I get nss_ldap 
working on my box I intend to submit another patch.

tom
-- 
| tmclaugh at sdf.lonestar.org                 tmclaugh at FreeBSD.org |
| FreeBSD                                       http://www.FreeBSD.org |

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"


linux-kernel:
Greg Kroah-Hartman	[PATCH 041/196] kobject: add kobject_init_and_add function
Lukas Hejtmanek	Re: Another libata error related to OCZ SSD
Greg Kroah-Hartman	[PATCH 023/196] MCP_UCB1200: Convert from class_device to device
Florian Fainelli	Re: System clock runs too fast after 2.6.27 -> 2.6.28.1 upgrade
Christoph Lameter	[patch 1/4] mmu_notifier: Core code
git:
Johannes Schindelin	Re: [PATCH 1/2] Add strbuf_initf()
John Bito	[EGIT] Push to GitHub caused corruption
Jakub Narebski	Re: [PATCH 0/2] gitweb: patch view
Junio C Hamano	Re: [PATCH] When a remote is added but not fetched, tell the user.
Andy Parkins	Re: [RFC] Submodules in GIT
git-commits-head:
Linux Kernel Mailing List	ahci: Workaround HW bug for SB600/700 SATA controller PMP support
Linux Kernel Mailing List	V4L/DVB (11086): au0828: rename macro for currently non-function VBI support
Linux Kernel Mailing List	ceph: client types
Linux Kernel Mailing List	ceph: on-wire types
Linux Kernel Mailing List	crypto: chainiv - Use kcrypto_wq instead of keventd_wq
linux-netdev:
Andrew Morton	Re: [Bugme-new] [Bug 14969] New: b44: WOL does not work in suspended state
Giuseppe CAVALLARO	Re: [PATCH 03/13] stmmac: add the new Header file for stmmac platform data
Taku Izumi	[PATCH 3/3] ixgbe: add registers etc. printout code just before resetting adapters
Eric Dumazet	rps: some comments
Thomas Gleixner	Re: [RFC PATCH 02/12] On Tue, 23 Sep 2008, David Miller wrote:
openbsd-misc:
Stephan Andreas	problems with login after xlock in OpenBSD release 4.7
pmc	Make A Change. Alcoholism and Drug Addiction Treatment
ropers	Re: what exactly is enc0?
Fuad NAHDI	Re: What does your environment look like?
Matthew Szudzik	Typo on OpenBSD 4.4 CD Set