Re: saslauthd segfault using kerberos5


Subject: Re: saslauthd segfault using kerberos5
From: Etienne Goyer (etienne dot goyer at linuxquebec dot com)
Date: Wed Apr 23 2003 - 16:06:34 EDT


I just found my problem. My KDC is a MS Active Directory. The account
used to create the principal where disabled. Enabling the account make
saslauthd behave. However, since kinit work wih the account disabled or
not and krb5_free_data_contents() seem to segfault (to be verified), I
think I put the finger on a genuine bug. I will carry this to the the
MIT Kerberos folk to see if they are aware of it.

On Wed, Apr 23, 2003 at 02:59:57PM -0400, Etienne Goyer wrote:
> Hi there,
>
> I have been banging my head on SASL 2.1.13 for a few hour now and I am
> quite desesperate. Any help would be very appreciated.
>
> We are setting up a Cyrus imapd farm. We had been doing test for a few
> day and everything used to work correctly. imapd is configured to to
> authenticate user against saslauthd. saslauthd is started with
> "-a kerberos5". Last week, it was working (people where getting
> authenticated). Now it does not work anymore and we can't fugure out
> what we did that might have broke saslauthd.
>
> Testing saslauthd with "testsaslauthd -u user -p passw" give the
> following :
>
> ---
> [root@www2 root]# testsaslauthd -u <user> -p <pass>
> size read failed
> 0: [root@www2 root]#
> ---
>
> However, it work no problem if I use "saslauthd -a getpwent" so the
> problem must lie in the kerberos5 mechanism.
>
> Here are the last few line of output from
> "strace saslauthd -d -n0 -a kerberos5" :
>
> ---
> socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 9
> connect(9, {sin_family=AF_INET, sin_port=htons(88),
> sin_addr=inet_addr("132.203.123.55")}}, 16) = 0
> send(9, "l\202\4\3250\202\4\321\241\3\2\1\5\242\3\2\1\f\243\202"...,
> 1241, 0) = 1241
> select(10, [9], NULL, NULL, {1, 0}) = 1 (in [9], left {0, 980000})
> recv(9, "~Z0X\240\3\2\1\5\241\3\2\1\36\244\21\30\01720030423183"...,
> 4096, 0) = 92
> close(9) = 0
> --- SIGSEGV (Segmentation fault) ---
> +++ killed by SIGSEGV +++
> ---
>
> I am not a C programmer, but I can do a little syslog() debugging so I
> narrowed the problem to saslauthd/auth_krb5.c around line 264 :
>
> ---
> fini:
> #ifndef KRB5_HEIMDAL
> krb5_free_data_contents(context, &packet);
> #endif
> krb5_free_principal(context, server);
>
> return result;
> ---
>
> If I comment the krb5_free_data_contents() function, it does not
> segfault anymore, but I get "NO "authentication failed"" for answer from
> testsaslauthd. A little more syslog() debugging tell me that
> krb5_mk_req() at line 238 does not return 0. Somehow, what make
> krb5_mk_req() may be giving segfault in krb5_free_data_contents().
>
> I am 90% sure that this problem is somehow related to my setup or
> config, but the fact that it trigger a segfault might make it worthwhile
> of an investigation. In the meantime, I will gladly accept any
> suggestion as what to check to solve my problem.
>
> Thanks very much !
>
>
> --
> Etienne Goyer Linux Québec Technologies Inc.
> http://www.LinuxQuebec.com etienne dot goyer at linuxquebec dot com
> PGP Pub Key: http://www.LinuxQuebec.com/pubkeys/eg.key
> Fingerprint: F569 0394 098A FC70 B572 5D20 3129 3D86 8FD5 C853

-- 
Etienne Goyer                    Linux Québec Technologies Inc.
http://www.LinuxQuebec.com       etienne dot goyer at linuxquebec dot com
PGP Pub Key: http://www.LinuxQuebec.com/pubkeys/eg.key 
Fingerprint: F569 0394 098A FC70 B572  5D20 3129 3D86 8FD5 C853 







Hosted Email Solutions

Invaluement Anti-Spam DNSBLs



Powered By FreeBSD   Powered By FreeBSD