login
Search
Hi, for a year or so I had nss_ldap connected to an active directory (with openldap23-sasl-client) on a year-old current. Yesterday I've rebuilt everything and I started to get 'undefined symbols' (for example gss_equal_oid) when running any program needing pw or group entries. After some poking around I fixed these by adding -lgssapi to the Makefiles for libgssapi_krb5.so and libgssap_spnego.so. Now getent, local login and everything works fine, except cron and sshd. Both create entries in /var/log/messages like: Jan 18 20:00:02 knopdnsimu13f cron[1495]: GSSAPI Error: Miscellaneous failure (see text)¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ Jan 18 20:00:02 knopdnsimu13f kernel: ZZZZZZZZZZZZZZZZ I've tried to figure out in which of the dozens of layered libraries (gss, sasl, ssl, ......) this error is generated but did not find anything. This is on amd64, krb5 enabled in pam, gssapi disabled in sshd_config (as I said, this worked before). Any ideas? harti _______________________________________________ freebsd-current@freebsd.org mailing ...
So to answer my own mail: I made a link from the kerberos ticket file which contains the host ticket (and is specified in nss_ldap.conf) to /tmp/krb5cc_0. I've no idea why this is suddenly necessary, though. >
Hi Harti, I'm setting up a -CURRENT vm right now with nss_ldap and have
an LDAP server which requires SASL. I use a global krb5 credentials
cache for nss_ldap as it appears you do. Last time I did this was right
around the time the latest heimdal was imported. My setup worked before
the import and broke afterwards. As I recall from talking to dfr@ (?)
libgssapi_{krb5,spnego} are just plugins for libgssapi. They should not
need to be linked against libgssapi and other things should not link
against them. I would like to see this fixed as libgssapi is intended
to be used. I just want to know what the proper fix is.
(Hey, just found the old conversation with dfr@ in my inbox but need to
There may be an issue with the env method used in nss_ldap to change the
credentials cache. My mind is fuzzy but I do recall a similar issue but
don't remember the exact cause or case. nss_ldap has a second
configurable ccname method which when I submitted the original patch I
intended to switch to once we had a newer heimdal. Once I get nss_ldap
working on my box I intend to submit another patch.
tom
--
| tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org |
| FreeBSD http://www.FreeBSD.org |
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Hi Harti (CC maintainer), Can you try the attached patch for nss_ldap? This should cause the host ticket to work correctly on -CURRENT. It's "my box approved". tom -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org |
Hi Tom, On Sat, 28 Feb 2009, Tom McLaughlin wrote: TM>Tom McLaughlin wrote: TM>> Harti Brandt wrote: TM>> > On Sun, 18 Jan 2009, Hartmut.Brandt@dlr.de wrote: TM> TM>> > > Both create entries in /var/log/messages like: TM>> > > TM>> > > Jan 18 20:00:02 knopdnsimu13f cron[1495]: GSSAPI Error: Miscellaneous TM>> > > failure (see TM>> > > text)???????????????ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ TM>Z TM>> Z TM>> > ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ TM>> > > Jan 18 20:00:02 knopdnsimu13f kernel: ZZZZZZZZZZZZZZZZ TM>> > > TM>> > > I've tried to figure out in which of the dozens of layered libraries TM>> > > (gss, sasl, ssl, ......) this error is generated but did not find TM>> > > anything. TM>> > > TM>> > > This is on amd64, krb5 enabled in pam, gssapi disabled in sshd_config TM>> > > (as I said, this worked before). TM>> > So to answer my own mail: I made a link from the kerberos ticket file TM>> > which contains the host ticket (and is specified in nss_ldap.conf) to TM>> > /tmp/krb5cc_0. I've no idea why this is suddenly necessary, though. TM>> TM>> There may be an issue with the env method used in nss_ldap to change the TM>> ...
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= It seems that this is because libgssapi_krb5, libgssapi_spnego and several other heimdal shared libraries are not linked against libgssapi.
As I understand it libgssapi_krb5 and libgssapi_spnego are not supposed to be linked against libgssapi. They're supposed to be just plugins. tom _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= These objects reference symbols from libgssapi. The libgssapi or nss_ldap are dlopened without RTLD_GLOBAL flag, and libgssapi-provided symbols are not available. As I understand, nss module must be not loaded with RTLD_GLOBAL. Our binutils in base are old. Newer ld has a switch --no-allow-shlib-undefi= ned that fails the link if shared library has undefined references. I find it useful to catch and fix this kind of errors.
The real problem is that nss_ldap should not link with libgssapi_krb5 directly. This library is a plugin for the mechanism-independant libgssapi and can not be used standalone. The nss_ldap module should link to libgssapi and that will handle loading libgssapi_krb5 as necessary. _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= I think this is a different problem, and it does not invalidates the requirement for each dso to be linked against all required dso's that provide symbols referenced by the first one.
Perhaps I should have put GSS-API extensions in a different library from the mechanism implementation. This is actually quite possible since all the krb5 extensions are wrappers on a more generic GSS-API extension api. Its probably too hard to do that now. _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Okay, attached is a patch to nss_ldap. On -CURRENT I have changed the CONFIGURE_ARG to use "--enable-configurable-krb5-ccname-gssapi" instead of "--enable-configurable-krb5-ccname-env" which fixes Harti's initial problem with apps like cron failing. It will also make nss_ldap link against libgssapi and libgssapi_krb5. I still have one lingering issue though at least things work. [tom@freebsd-8-amd64 tom]$ getent passwd tom dlopen: /usr/lib/libgssapi_spnego.so.10: Undefined symbol "GSS_C_NT_HOSTBASED_SERVICE" tom:x:10001:10001:Tom McLaughlin:/home/tom:/bin/sh I am also curious how gssapi in -CURRENT is affecting the ports tree. Are other ports experiencing similar linking issues? How can I go about finding and fixing them? tom -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org |
On Tue, 10 Mar 2009, Tom McLaughlin wrote: TM>Doug Rabson wrote: [snip alot] TM>Okay, attached is a patch to nss_ldap. On -CURRENT I have changed the TM>CONFIGURE_ARG to use "--enable-configurable-krb5-ccname-gssapi" instead TM>of "--enable-configurable-krb5-ccname-env" which fixes Harti's initial TM>problem with apps like cron failing. It will also make nss_ldap link TM>against libgssapi and libgssapi_krb5. I still have one lingering issue TM>though at least things work. TM> TM>[tom@freebsd-8-amd64 tom]$ getent passwd tom TM>dlopen: /usr/lib/libgssapi_spnego.so.10: Undefined symbol TM>"GSS_C_NT_HOSTBASED_SERVICE" TM>tom:x:10001:10001:Tom McLaughlin:/home/tom:/bin/sh Ok. This works so far. I get the same error. But I have the original problem again - cron, sendmail and sshd seem not to use the hostcreds. I still need a link from /var/tmp/hostcreds to /tmp/krb5cc_0 to make sshd to work. The build of nss_ldap seems to find all the necessary files: sasl.h, gssapi.h, gssapi_krb5.h. The thing I cannot understand is: why do normal applications find the hostcreds, but the daemons not? What do they differently? harti _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
What's the machine's OSVERSION? I used the OSVERSION on my box when checking which method to use for setting the credentials cache. I didn't feel like trying to figure out what the OSVERSION was when Heimdal was updated. -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org | _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
On Sun, 15 Mar 2009, Tom McLaughlin wrote: TM>Hartmut Brandt wrote: TM>> On Tue, 10 Mar 2009, Tom McLaughlin wrote: TM>> TM>> TM>Doug Rabson wrote: TM>> TM>> [snip alot] TM>> TM>> TM>Okay, attached is a patch to nss_ldap. On -CURRENT I have changed the TM>> TM>CONFIGURE_ARG to use "--enable-configurable-krb5-ccname-gssapi" instead TM>> TM>of "--enable-configurable-krb5-ccname-env" which fixes Harti's initial TM>> TM>problem with apps like cron failing. It will also make nss_ldap link TM>> TM>against libgssapi and libgssapi_krb5. I still have one lingering issue TM>> TM>though at least things work. TM>> TM> TM>> TM>[tom@freebsd-8-amd64 tom]$ getent passwd tom TM>> TM>dlopen: /usr/lib/libgssapi_spnego.so.10: Undefined symbol TM>> TM>"GSS_C_NT_HOSTBASED_SERVICE" TM>> TM>tom:x:10001:10001:Tom McLaughlin:/home/tom:/bin/sh TM>> TM>> Ok. This works so far. I get the same error. But I have the original TM>> problem TM>> again - cron, sendmail and sshd seem not to use the hostcreds. I still need TM>> a TM>> link from /var/tmp/hostcreds to /tmp/krb5cc_0 to make sshd to work. The TM>> build TM>> of nss_ldap seems to find all the necessary files: sasl.h, gssapi.h, TM>> gssapi_krb5.h. TM>> TM> TM>What's the machine's OSVERSION? I used the OSVERSION on my box when checking TM>which method to use for setting the credentials cache. I didn't feel like TM>trying to figure out what the OSVERSION was when Heimdal was updated. Looks like the Makefile checks for >= 800064. My sys/param.h has 800061. Unfortunately I'm out of town until at least sunday so I can do more tests only next week. harti TM> TM>tom TM> TM>> The thing I cannot understand is: why do normal applications find the TM>> hostcreds, TM>> but the daemons not? What do they differently? TM>> TM>> harti TM> TM> TM> _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to ...
On Mon, 16 Mar 2009, Hartmut Brandt wrote: HB>On Sun, 15 Mar 2009, Tom McLaughlin wrote: HB> HB>TM>Hartmut Brandt wrote: HB>TM>> On Tue, 10 Mar 2009, Tom McLaughlin wrote: HB>TM>> HB>TM>> TM>Doug Rabson wrote: HB>TM>> HB>TM>> [snip alot] HB>TM>> HB>TM>> TM>Okay, attached is a patch to nss_ldap. On -CURRENT I have changed the HB>TM>> TM>CONFIGURE_ARG to use "--enable-configurable-krb5-ccname-gssapi" instead HB>TM>> TM>of "--enable-configurable-krb5-ccname-env" which fixes Harti's initial HB>TM>> TM>problem with apps like cron failing. It will also make nss_ldap link HB>TM>> TM>against libgssapi and libgssapi_krb5. I still have one lingering issue HB>TM>> TM>though at least things work. HB>TM>> TM> HB>TM>> TM>[tom@freebsd-8-amd64 tom]$ getent passwd tom HB>TM>> TM>dlopen: /usr/lib/libgssapi_spnego.so.10: Undefined symbol HB>TM>> TM>"GSS_C_NT_HOSTBASED_SERVICE" HB>TM>> TM>tom:x:10001:10001:Tom McLaughlin:/home/tom:/bin/sh HB>TM>> HB>TM>> Ok. This works so far. I get the same error. But I have the original HB>TM>> problem HB>TM>> again - cron, sendmail and sshd seem not to use the hostcreds. I still need HB>TM>> a HB>TM>> link from /var/tmp/hostcreds to /tmp/krb5cc_0 to make sshd to work. The HB>TM>> build HB>TM>> of nss_ldap seems to find all the necessary files: sasl.h, gssapi.h, HB>TM>> gssapi_krb5.h. HB>TM>> HB>TM> HB>TM>What's the machine's OSVERSION? I used the OSVERSION on my box when checking HB>TM>which method to use for setting the credentials cache. I didn't feel like HB>TM>trying to figure out what the OSVERSION was when Heimdal was updated. HB> HB>Looks like the Makefile checks for >= 800064. My sys/param.h has 800061. HB> HB>Unfortunately I'm out of town until at least sunday so I can do more tests HB>only next week. To reply to my own mail: changing the check in the Makefile to >= 800061 makes things working. The only remaining thing is the missing symbol in ...
Today I found this posting here having much trouble with authetication on some clients. After an update of the LDAP server from OpenLDAP 2.4.14 to 2.4.15 and updating db-4.6 to db-4.7 (all on the server, server runs FreeBSD 7.1-STABLE/i386), I have no luck log in via ssh on any client (client runs FreeBSD 8.0-CURRENT/amd64). Client has also db-4.7 and OpenLDAP 2.4.15 and I recompiled pam_ldap and nss_ldap when updated OpenLDAP 2.4.14 to OpenLDAP 2.4.15. Checking console log gives me this: Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot find account for uid 1000 Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout() returned an error Checking sshd.log gives this:Mar 16 11:04:19 thusnelda sshd[1560]: Accepted keyboard-interactive/pam for user from XXX.XXX.XXX.XXX port 61861 ssh2 Mar 16 11:04:19 thusnelda sshd[1563]: nss_ldap: could not get LDAP result - Can't contact LDAP server Mar 16 11:04:34 thusnelda sshd[1563]: nss_ldap: could not get LDAP result - Timed out Mar 16 11:04:34 thusnelda sshd[1560]: nss_ldap: could not search LDAP server - Server is unavailable Mar 16 11:04:34 thusnelda sshd[1560]: fatal: login_get_lastlog: Cannot find account for uid 1000 Mar 16 11:04:34 thusnelda sshd[1560]: syslogin_perform_logout: logout() returned an error This happens now on all boxes running the most recent OpenLDAP 2.4.15. is there a serious issue we should PR? Thanks in advance, Oliver _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Need a lot more info here. The issue in this thread has been related to GSSAPI and nss_ldap and manifests itself when you use krb5_ccname in the nss_ldap.conf. Is the problem only related to authentication? Only sshd? If you're on the box does nss_ldap work fine and enumerate all users and groups just fine? Are only -CURRENT boxes showing problems? What about -STABLE? When did everything break? What do the ldap server logs say if you have access to them? (Might want to bump up the loglevel on openldap too.) tom _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Hey, just curious if there's anything that can be done about the one lingering issue I have above with: dlopen: /usr/lib/libgssapi_spnego.so.10: Undefined symbol "GSS_C_NT_HOSTBASED_SERVICE" Got back from vacation and happen to go through my -CURRENT box's mailbox and cron has flooded my inbox with emails because of this. Would be nice to make this go away. :) tom -- | tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org | | FreeBSD http://www.FreeBSD.org | _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Yes. I get this on every 'ls -l' and on 'vi' which is kind of annoying. But I have not enough GSSAPI-foo... harti _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
On Tue, 10 Mar 2009, Doug Rabson wrote: DR> DR>On 6 Mar 2009, at 22:24, Kostik Belousov wrote: DR> DR>> On Fri, Mar 06, 2009 at 05:00:49PM -0500, tmclaugh@sdf.lonestar.org wrote: DR>> > > On Fri, Mar 06, 2009 at 09:39:31PM +0100, Hartmut Brandt wrote: DR>> > > > DR>> > > > Hi Tom, DR>> > > > DR>> > > > On Sat, 28 Feb 2009, Tom McLaughlin wrote: DR>> > > > DR>> > > > TM>Tom McLaughlin wrote: DR>> > > > TM>> Harti Brandt wrote: DR>> > > > TM>> > On Sun, 18 Jan 2009, Hartmut.Brandt@dlr.de wrote: DR>> > > > TM> DR>> > > > TM>> > > Both create entries in /var/log/messages like: DR>> > > > TM>> > > DR>> > > > TM>> > > Jan 18 20:00:02 knopdnsimu13f cron[1495]: GSSAPI Error: DR>> > > > Miscellaneous DR>> > > > TM>> > > failure (see DR>> > > > TM>> > > DR>> > > > text)???????????????ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ DR>> > > > TM>Z DR>> > > > TM>> Z DR>> > > > TM>> > ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ DR>> > > > TM>> > > Jan 18 20:00:02 knopdnsimu13f kernel: ZZZZZZZZZZZZZZZZ DR>> > > > TM>> > > DR>> > > > TM>> > > I've tried to figure out in which of the dozens of layered DR>> > > > libraries DR>> > > > TM>> > > (gss, sasl, ssl, ......) ...
Possibly. This library does export symbols for kerberos-specific GSS- API extensions but if you use them you still need to link with libgssapi as well. _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Sorry, forgot to mention you still need that patch to libgssapi and libgssapi_krb5 in base that you did previously. The patch to nss_ldap alleviates the lingering problems you still saw. I need to eventually talk to dfr@ (been busy with various projects at home lately) and see how nss_ldap should properly link against libgssapi but even after that the patch to nss_ldap will still be needed and better than the current method used to use a host ticket. tom _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
How will gss allow you to go without a host ticket? Somehow the host needs to bind to the AD, right? In any case I rebuilt the two libraries linking them agains libgssapi and I can at least log in again. Sendmail dies with signal 11 and after I removed the link from /tmp/krb5cc_0 to the host creds cron also dies with signal 11. This is somewhat hard to debug, because it doesn't dump core. Sudo does not work and gives: Mar 7 21:23:57 knopdnsimu13f sudo: GSSAPI Error: Miscellaneous failure (see text) (unknown mech-code 2529638944 for mech unknown) Mar 7 21:23:57 knopdnsimu13f sudo: GSSAPI Error: Miscellaneous failure (see text)¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ (Ticket expired¥¥libdefaults) Mar 7 21:24:27 knopdnsimu13f last message repeated 8 times Mar 7 21:24:32 knopdnsimu13f sshd[50888]: error: PAM: authentication error for root from XXXX.dlr.de Mar 7 21:25:00 knopdnsimu13f sudo: GSSAPI Error: Miscellaneous failure (see text)¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ (Ticket expired¥¥libdefaults) Mar 7 21:25:00 knopdnsimu13f sudo: GSSAPI Error: Miscellaneous failure (see text)¥¥¥¥¥¥¥¥¥¥¥¥¥¥¥ (Ticket expired¥¥libdefaults) Mar 7 21:26:05 knopdnsimu13f last message repeated 2 times Mar 7 21:26:05 knopdnsimu13f sudo: nss_ldap: could not search LDAP server - Server is unavailable The host ticket is fine (I checked) and the server is, of course, reachable and up. None of the tickets is expired. I must admit that I'm lost in this twisted maze of libraries: gss, nss_ldap, sasl. I can't even grasp how they layer on each other. But if you come up with patches I'm ready to try them. Did I forget to mention that this worked fine for one or two years until I decided to update my system (this was when I sent the original mail)? harti _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Yes, you still need a host ticket on the box. For nss_ldap to work
correctly right now using a host ticket on -CURRENT you need
libgssapi_{krb5,spnego} linked against libgssapi and the patch to the
nss_ldap port. nss_ldap has two different methods that it can use to
use a host ticket and the one used is determined during the configure
stage of the port. The port currently uses a host ticket by temporarily
changing the path to the user's ticket in the user's environment to the
path to the host ticket when it needs to do a lookup. The patch to
nss_ldap I sent uses the gss_krb5_ccache_name() function instead on
Yes, sudo, sendmail, cron, and a few others will exhibit this behavior
Yup, this started when heimdal and gssapi were updated from the ancient
versions we used to have.
tom
--
| tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org |
| FreeBSD http://www.FreeBSD.org |
_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
