Package: libsasl2-modules-gssapi-mit
Version: 2.1.24~rc1.dfsg1+cvs2011-05-23-4
Severity: important
Dear Maintainer,
// This issue still exists in latest 2.1.25.
* What led up to the situation?
I find slapd doesn't respect "keytab" option in
/etc/ldap/sasl2/slapd.conf when it does SASL authentication,
slapd always reads default keytab file "/etc/krb5.keytab" but slapd
is running as user "openldap" and that file is readable only
by root.
The cause is libsasl2-modules-gssapi-mit's buggy autoconf m4
script, which disables the code snippet to read "keytab" option.
$ grep gsskrb5_register_acceptor_identity /usr/include/ -nr
/usr/include/gssapi/gssapi_krb5.h:164:#define
gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
/usr/include/mit-krb5/gssapi/gssapi_krb5.h:164:#define
gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
/usr/include/heimdal/gssapi/gssapi_krb5.h:84:GSSAPI_LIB_FUNCTION
OM_uint32 GSSAPI_LIB_CALL gsskrb5_register_acceptor_identity
$ grep gsskrb5_register_acceptor_identity -nr cyrus-sasl2/
cyrus-sasl2/configure:13336:for ac_func in gsskrb5_register_acceptor_identity
cyrus-sasl2/cmulocal/sasl2.m4:271:
AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity)
cyrus-sasl2/config.h.in:125:/* Define to 1 if you have the
`gsskrb5_register_acceptor_identity' function.
cyrus-sasl2/saslauthd/configure:9119:for ac_func in
gsskrb5_register_acceptor_identity
cyrus-sasl2/saslauthd/saslauthd.h.in:58:/* Define to 1 if you have the
`gsskrb5_register_acceptor_identity' function.
cyrus-sasl2/plugins/gssapi.c:1320:
gsskrb5_register_acceptor_identity(keytab_path);
MIT kerberos's header file includes macro "gsskrb5_register_acceptor_identity"
and function "krb5_gss_register_acceptor_identity", but sasl2.m4 script expects
function "gsskrb5_register_acceptor_identity", this works for Heimdal kerberos
but not for MIT kerberos.
* What exactly did you do (or not do) that was effective (or
ineffective)?
After I forced cyrus-sasl2/plugins/gssapi.c to use
function "krb5_gss_register_acceptor_identity", this package
successfully picked "keytab" option in /etc/ldap/sasl2/slapd.conf,
command "ldapwhoami" authenticated succussfully.
* What was the outcome of this action?
* What outcome did you expect instead?
I feel it's better to fix sasl.m4 rather than directly change
plugins/gssapi.c to add more macros, maybe it's even better
to just change /usr/include/mit-krb5/gssapi/gssapi_krb5.h to
use this macro:
#define krb5_gss_register_acceptor_identity gsskrb5_register_acceptor_identity
but this way breaks ABI compatibility.
cyrus-sasl2/doc/sysadmin.html also should be fixed, it claims:
<p>Applications that wish to use a kerberos mechanism will need access
to a service key, stored either in a "srvtab" file (Kerberos 4) or a
"keytab" file (Kerberos 5). Currently, the keytab file location is
not configurable and defaults to the system default (probably
<tt>/etc/krb5.keytab</tt>).
Regards,
Yubao Liu
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libsasl2-modules-gssapi-mit depends on:
ii libc6 2.13-21
ii libcomerr2 1.42~WIP-2011-10-16-1
ii libgssapi-krb5-2 1.9.1+dfsg-3
ii libk5crypto3 1.9.1+dfsg-3
ii libkrb5-3 1.9.1+dfsg-3
ii libsasl2-modules 2.1.24~rc1.dfsg1+cvs2011-05-23-4
ii libssl1.0.0 1.0.0e-3
libsasl2-modules-gssapi-mit recommends no packages.
libsasl2-modules-gssapi-mit suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
