Subject: Re: problem with nss_ldap

From: Hartmut Brandt · Date: Saturday, March 7, 2009 - 1:53 pm

tmclaugh@sdf.lonestar.org wrote:
quoted text>> Hi Tom,
>>
>> On Sat, 28 Feb 2009, Tom McLaughlin wrote:
>>
>> TM>Tom McLaughlin wrote:
>> TM>> Harti Brandt wrote:
>> TM>> > On Sun, 18 Jan 2009, Hartmut.Brandt@dlr.de wrote:
>> TM>
>> TM>> > > Both create entries in /var/log/messages like:
>> TM>> > >
>> TM>> > > Jan 18 20:00:02 knopdnsimu13f cron[1495]: GSSAPI Error:
>> Miscellaneous
>> TM>> > > failure (see
>> TM>> > >
>> text)???????????????ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
>> TM>Z
>> TM>> Z
>> TM>> >  ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
>> TM>> > > Jan 18 20:00:02 knopdnsimu13f kernel: ZZZZZZZZZZZZZZZZ
>> TM>> > >
>> TM>> > > I've tried to figure out in which of the dozens of layered
>> libraries
>> TM>> > > (gss, sasl, ssl, ......) this error is generated but did not find
>> TM>> > > anything.
>> TM>> > >
>> TM>> > > This is on amd64, krb5 enabled in pam, gssapi disabled in
>> sshd_config
>> TM>> > > (as I said, this worked before).
>> TM>> > So to answer my own mail: I made a link from the kerberos ticket
>> file
>> TM>> > which contains the host ticket (and is specified in nss_ldap.conf)
>> to
>> TM>> > /tmp/krb5cc_0. I've no idea why this is suddenly necessary, though.
>> TM>>
>> TM>> There may be an issue with the env method used in nss_ldap to change
>> the
>> TM>> credentials cache.  My mind is fuzzy but I do recall a similar issue
>> but
>> TM>> don't remember the exact cause or case.  nss_ldap has a second
>> configurable
>> TM>> ccname method which when I submitted the original patch I intended to
>> TM>> switch to once we had a newer heimdal.  Once I get nss_ldap working
>> on my
>> TM>> box I intend to submit another patch.
>> TM>>
>> TM>> tom
>> TM>
>> TM>Hi Harti (CC maintainer),
>> TM>
>> TM>Can you try the attached patch for nss_ldap?  This should cause the
>> host
>> TM>ticket to work correctly on -CURRENT.  It's "my box approved".
>>
>> Does not work. I rebuilt my system with today's sources to be sure,
>> removed my patches to the two library makefiles and rebuilt nss_ldap with
>> your patch. I get:
>>
>> # ls -l
>> dlopen: /usr/lib/libgssapi_spnego.so.10: Undefined symbol
>> "GSS_C_NT_HOSTBASED_SERVICE"
>> /libexec/ld-elf.so.1: /usr/lib/libgssapi_krb5.so.10: Undefined symbol
>> "gss_oid_equal"
>>
>> Basically on everything I enter. Luckily vi still works :-)
>>
>> I saw that the configuration script claims not to find
>> gss_krb5_ccache_name in -lgssapi or -lgssapi_krb5. This is because the
>> test program for -lgssapi_krb5 links only to gssapi_krb5 but not to gssapi
>> and so gets a lot of errors. I fixed this by adding gssapi, but the final
>> result was the same.
>>
>> harti
>>
> 
> Sorry, forgot to mention you still need that patch to libgssapi and
> libgssapi_krb5 in base that you did previously.  The patch to nss_ldap
> alleviates the lingering problems you still saw.  I need to eventually
> talk to dfr@ (been busy with various projects at home lately) and see how
> nss_ldap should properly link against libgssapi but even after that the
> patch to nss_ldap will still be needed and better than the current method
> used to use a host ticket.

How will gss allow you to go without a host ticket? Somehow the host 
needs to bind to the AD, right?

In any case I rebuilt the two libraries linking them agains libgssapi 
and I can at least log in again. Sendmail dies with signal 11 and after 
I removed the link from /tmp/krb5cc_0 to the host creds cron also dies 
with signal 11. This is somewhat hard to debug, because it doesn't dump 
core.

Sudo does not work and gives:

Mar  7 21:23:57 knopdnsimu13f sudo: GSSAPI Error:  Miscellaneous failure 
(see text) (unknown mech-code 2529638944 for mech unknown)
Mar  7 21:23:57 knopdnsimu13f sudo: GSSAPI Error:  Miscellaneous failure 
(see text)¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ (Ticket expired¥¥libdefaults)
Mar  7 21:24:27 knopdnsimu13f last message repeated 8 times
Mar  7 21:24:32 knopdnsimu13f sshd[50888]: error: PAM: authentication 
error for root from XXXX.dlr.de
Mar  7 21:25:00 knopdnsimu13f sudo: GSSAPI Error:  Miscellaneous failure 
(see text)¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ (Ticket expired¥¥libdefaults)
Mar  7 21:25:00 knopdnsimu13f sudo: GSSAPI Error:  Miscellaneous failure 
(see text)¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ (Ticket expired¥¥libdefaults)
Mar  7 21:26:05 knopdnsimu13f last message repeated 2 times
Mar  7 21:26:05 knopdnsimu13f sudo: nss_ldap: could not search LDAP 
server - Server is unavailable

The host ticket is fine (I checked) and the server is, of course, 
reachable and up. None of the tickets is expired.

I must admit that I'm lost in this twisted maze of libraries: gss, 
nss_ldap, sasl. I can't even grasp how they layer on each other. But if 
you come up with patches I'm ready to try them.

Did I forget to mention that this worked fine for one or two years until 
I decided to update my system (this was when I sent the original mail)?

harti

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"


linux-kernel:
Greg KH	Og dreams of kernels
Jens Axboe	[PATCH 31/33] Fusion: sg chaining support
Arnd Bergmann	Re: finding your own dead "CONFIG_" variables
Mark Brown	[PATCH 2/2] Subject: natsemi: Allow users to disable workaround for DspCfg reset
Tony Breeds	[LGUEST] Look in object dir for .config
git:
Brian Downing	Re: Git in a Nutshell guide
John Benes	Re: master has some toys
Matthias Lederhofer	[PATCH 4/7] introduce GIT_WORK_TREE to specify the work tree
Alexander Sulfrian	[RFC/PATCH] RE: git calls SSH_ASKPASS even if DISPLAY is not set
Junio C Hamano	Re: Rss produced by git is not valid xml?
git-commits-head:
Linux Kernel Mailing List	iSeries: fix section mismatch in iseries_veth
Linux Kernel Mailing List	ixbge: remove TX lock and redo TX accounting.
Linux Kernel Mailing List	ixgbe: fix several counter register errata
Linux Kernel Mailing List	b43: fix build with CONFIG_SSB_PCIHOST=n
Linux Kernel Mailing List	9p: block-based virtio client
linux-netdev:
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
David Daney	[PATCH 5/7] Staging: Octeon Ethernet: Convert to NAPI.
Wolfgang Grandegger	[PATCH net-next v4 1/3] can: mscan: fix improper return if dlc < 8 in start_xmi...
Amit Kumar Salecha	[PATCHv3 NEXT 2/2] NET: Add Qlogic ethernet driver for CNA devices
openbsd-misc:
Theo de Raadt	Re: Old IPSEC bug
Tomáš Bodžár	Problem with vpnc connection - check group password !
Insan Praja SW	Mandoc Compiling Error
Carl Roberso	Re: Cannot change MTU of carp interface?
Richard Daemon	Re: booting openbsd on eee without cd-rom