Bug#917129: slapd-smbk5pwd: crashes when enabling krb5

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#917129: slapd-smbk5pwd: crashes when enabling krb5

Ryan Tandy-4
Package: slapd-smbk5pwd
Version: 2.4.46+dfsg-5
Severity: important

# ldapmodify -H ldapi:// -Y EXTERNAL << eof
> dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config
> changetype: add
> objectClass: olcSmbK5PwdConfig
> olcSmbK5PwdEnable: krb5
> eof
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config"
ldap_result: Can't contact LDAP server (-1)

Thread 3 "slapd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffb58b8700 (LWP 1713)]
initialize_kadm5_error_table_r (list=0x7fffa8104fb8,
    list@entry=<error reading variable: value has been optimized out>) at kadm5_err.c:101
101 kadm5_err.c: No such file or directory.
(gdb) bt
#0  initialize_kadm5_error_table_r (list=0x7fffa8104fb8,
    list@entry=<error reading variable: value has been optimized out>) at kadm5_err.c:101
#1  0x00007ffff67fa14a in krb5_add_et_list (context=context@entry=0x7fffa8104f50, func=<optimized out>)
    at add_et_list.c:54
#2  0x00007ffff6870ed5 in _kadm5_s_init_context (ctx=ctx@entry=0x7fffb58b5e00,
    params=params@entry=0x7ffff6a3c480 <conf>, context=0x7fffa8104f50) at context_s.c:241
#3  0x00007ffff6872f6c in kadm5_s_init_with_context (context=<optimized out>,
    client_name=0x7ffff6a3a025 "kadmin/admin", realm_params=0x7ffff6a3c480 <conf>,
    server_handle=0x7ffff6a3c4b8 <kadm_context>, api_version=<optimized out>, struct_version=<optimized out>,
    service_name=<optimized out>) at init_s.c:53
#4  0x00007ffff6a378a4 in smbk5pwd_modules_init (pi=<optimized out>) at smbk5pwd.c:1009
#5  0x00007ffff6a37e78 in smbk5pwd_cf_func (c=0x7fffb58b61c0) at smbk5pwd.c:916
#6  0x000055555558397b in config_set_vals (Conf=0x7ffff6a3c100 <smbk5pwd_cfats>, c=0x7fffb58b61c0)
    at ../../../../servers/slapd/config.c:353
#7  0x00005555555845ed in config_parse_add (ct=ct@entry=0x7ffff6a3c100 <smbk5pwd_cfats>, c=c@entry=0x7fffb58b61c0,
    valx=valx@entry=0) at ../../../../servers/slapd/config.c:697
#8  0x000055555557b2c3 in config_add_internal (e=<optimized out>, ca=ca@entry=0x7fffb58b61c0,
    rs=rs@entry=0x7fffb58b7850, renum=renum@entry=0x7fffb58b618c, op=<optimized out>, cfb=<optimized out>,
    cfb=<optimized out>) at ../../../../servers/slapd/bconfig.c:5217
#9  0x000055555557c179 in config_back_add (op=0x7fffa8002940, rs=0x7fffb58b7850)
    at ../../../../servers/slapd/bconfig.c:5444
#10 0x000055555559532d in fe_op_add (op=0x7fffa8002940, rs=0x7fffb58b7850) at ../../../../servers/slapd/add.c:334
#11 0x0000555555596169 in do_add (op=0x7fffa8002940, rs=0x7fffb58b7850) at ../../../../servers/slapd/add.c:194
#12 0x000055555558e56c in connection_operation (ctx=ctx@entry=0x7fffb58b79b0, arg_v=arg_v@entry=0x7fffa8002940)
    at ../../../../servers/slapd/connection.c:1158
#13 0x000055555558f09d in connection_read_thread (ctx=0x7fffb58b79b0, argv=0xc)
    at ../../../../servers/slapd/connection.c:1294
#14 0x00007ffff7f7d9fd in ldap_int_thread_pool_wrapper (xpool=0x55555572c410)
    at ../../../../libraries/libldap_r/tpool.c:696
#15 0x00007ffff76c0fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
#16 0x00007ffff75f188f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Reply | Threaded
Open this post in threaded view
|

Bug#917129: slapd-smbk5pwd: crashes when enabling krb5

Ryan Tandy-4
Thread 3 "slapd" hit Breakpoint 1, 0x00007ffff741a1c0 in krb5_init_context ()
   from /usr/lib/x86_64-linux-gnu/libkrb5.so.3
(gdb) bt
#0  0x00007ffff741a1c0 in krb5_init_context () from /usr/lib/x86_64-linux-gnu/libkrb5.so.3
#1  0x00007ffff68e486c in smbk5pwd_modules_init (pi=<optimized out>) at smbk5pwd.c:1000

That is the wrong krb5_init_context, we want the Heimdal one!

# ldd /usr/lib/ldap/smbk5pwd.so | grep krb5
        libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007f78ce2f3000)
        libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f78cdb87000)
        libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f78cdaaa000)
        libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f78cd340000)

This looks like a change in libsasl2-2:

Package: libsasl2-2
Version: 2.1.27~101-g0780600+dfsg-3
Depends: libsasl2-modules-db (>= 2.1.27~101-g0780600+dfsg-3), libc6 (>= 2.15)

Package: libsasl2-2
Version: 2.1.27~rc8-1
Depends: libsasl2-modules-db (>= 2.1.27~rc8-1), libc6 (>= 2.15), libcom-err2 (>= 1.43.9), libgssapi-krb5-2 (>= 1.6.dfsg.2), libk5crypto3 (>= 1.6.dfsg.2), libkrb5-3 (>= 1.6.dfsg.2)

(I really need to create some autopkgtests to catch this sort of thing!)

Reply | Threaded
Open this post in threaded view
|

Bug#917129: slapd-smbk5pwd: crashes when enabling krb5

Ryan Tandy-4
Control: reassign -1 libsasl2-2 2.1.27~rc8-1
Control: affects -1 slapd-smbk5pwd

Dear cyrus-sasl2 maintainers,

The latest version of libsasl2-2 seems to have gained dependencies on
MIT Kerberos libraries. This breaks slapd-smbk5pwd, which links with
Heimdal libraries (directly) and libsasl (indirectly via libldap) and
then calls functions exported by both (krb5_init_context). See details
quoted below.

I'm hoping this is just a bug and can be fixed. If it's an intentional
change, and not likely to be reverted, then I'd appreciate any advice
you could offer on how I should approach it from my end...

Thank you,
Ryan

On Sat, Dec 22, 2018 at 10:46:00PM -0800, Ryan Tandy wrote:

>Thread 3 "slapd" hit Breakpoint 1, 0x00007ffff741a1c0 in krb5_init_context ()
>  from /usr/lib/x86_64-linux-gnu/libkrb5.so.3
>(gdb) bt
>#0  0x00007ffff741a1c0 in krb5_init_context () from /usr/lib/x86_64-linux-gnu/libkrb5.so.3
>#1  0x00007ffff68e486c in smbk5pwd_modules_init (pi=<optimized out>) at smbk5pwd.c:1000
>
>That is the wrong krb5_init_context, we want the Heimdal one!
>
># ldd /usr/lib/ldap/smbk5pwd.so | grep krb5
> libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007f78ce2f3000)
> libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f78cdb87000)
> libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f78cdaaa000)
> libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f78cd340000)
>
>This looks like a change in libsasl2-2:
>
>Package: libsasl2-2
>Version: 2.1.27~101-g0780600+dfsg-3
>Depends: libsasl2-modules-db (>= 2.1.27~101-g0780600+dfsg-3), libc6 (>= 2.15)
>
>Package: libsasl2-2
>Version: 2.1.27~rc8-1
>Depends: libsasl2-modules-db (>= 2.1.27~rc8-1), libc6 (>= 2.15), libcom-err2 (>= 1.43.9), libgssapi-krb5-2 (>= 1.6.dfsg.2), libk5crypto3 (>= 1.6.dfsg.2), libkrb5-3 (>= 1.6.dfsg.2)

Reply | Threaded
Open this post in threaded view
|

Bug#917129: slapd-smbk5pwd: crashes when enabling krb5

Ryan Tandy-4
Control: tag -1 upstream patch
Control: forwarded -1 https://github.com/cyrusimap/cyrus-sasl/pull/548

Upon further investigation this turned out to be an upstream issue. I
have sent a patch upstream. Please consider including it once it has
been reviewed upstream.

https://patch-diff.githubusercontent.com/raw/cyrusimap/cyrus-sasl/pull/548.patch

thanks,
Ryan

Reply | Threaded
Open this post in threaded view
|

Bug#917129: slapd-smbk5pwd: crashes when enabling krb5

Ryan Tandy-4
I proposed a merge request on salsa for this issue.

https://salsa.debian.org/debian/cyrus-sasl2/merge_requests/2

as a git-format-patch(1) patch:

https://salsa.debian.org/debian/cyrus-sasl2/merge_requests/2.patch

See the original message on the bug for how to test the issue. With the
package in current unstable/testing, slapd crashes when initializing the
smbk5pwd overlay. With this patch, slapd no longer crashes and the
module is usable.