Re: kerberos issues with 10.0_BETA post openssl update

To: current-users%netbsd.org@localhost, Taylor R Campbell <riastradh%NetBSD.org@localhost>
Subject: Re: kerberos issues with 10.0_BETA post openssl update
From: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
Date: Mon, 25 Sep 2023 14:12:11 +1300



On 4/09/23 16:46, Mark Davies wrote:

1.  pam_ksu not working


Taylor fixed this.

2.  ktutil causes kadmind to segfault.


Christos fixed this.

3. pam_krb5 will seemingly randomly die while validating perfectlyvalid username/password pairs.
Both dovecot's auth and saslauthd (configured to do pam, and pam to dopam_krb5) would get segmentation faults processing some connectionswhile others (giving the same credentials) would succeed.

So with 1 and 2 fixed I rolled mail server forward again to see thestate of issue 3 and confirmed that the problem still persists. Howeverwas also able to confirm that rolling back just pam_krb5.so.4 to aversion prior to Taylor's June change fixed it, so presumably there issomething in that change that is not quite right.

Unfortunately, prior to putting the working pam_krb5 in, I wasn't ableto persuade dovecot to give coredumps along with its segfaults. I dohowever have a coredump for saslauthd from 3 weeks ago and two more fromthis morning:



Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.

(gdb) where

#0 quote_string (s=0x73756372616d <error: Cannot access memory ataddress 0x73756372616d>,out=out@entry=0x7f7fff06fbd0 "", idx=0, len=len@entry=256,display=display@entry=0)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:418#1 0x0000736565442cc0 in unparse_name_fixed(context=context@entry=0x736565752000, principal=0x7365656dd5a0,name=name@entry=0x7f7fff06fbd0 "", len=len@entry=256,flags=flags@entry=0)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:457#2 0x0000736565443569 in krb5_unparse_name_fixed(context=context@entry=0x736565752000,principal=<optimized out>, name=name@entry=0x7f7fff06fbd0 "",len=len@entry=256)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:507#3 0x00007365654429ec in krb5_error_from_rd_error(context=context@entry=0x736565752000,

    error=error@entry=0x7365657b7da0, creds=creds@entry=0x7365657b7c08)

at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/rd_error.c:86#4 0x000073656542cf22 in krb5_init_creds_step(context=context@entry=0x736565752000,ctx=ctx@entry=0x7365657b7c00, in=in@entry=0x7f7fff070640,out=out@entry=0x7f7fff070650,

    hostinfo=hostinfo@entry=0x0, flags=flags@entry=0x7f7fff070634)

at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2334#5 0x000073656542de98 in krb5_init_creds_get(context=context@entry=0x736565752000, ctx=0x7365657b7c00)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2634#6 0x000073656542b963 in krb5_get_init_creds_password(context=0x736565752000, creds=0x7f7fff071110,client=0x7365656ddb20, password=0x7365657ea110 "tclubhideout99v",prompter=0x0, data=0x7365657f2000,

    start_time=0, in_tkt_service=<optimized out>, options=0x736565789180)

at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/init_creds_pw.c:2728#7 0x000073656020279b in pam_sm_authenticate () from/usr/lib/security/pam_krb5.so.4#8 0x0000736563804cee in openpam_dispatch(pamh=pamh@entry=0x7365657f2000, primitive=primitive@entry=0,flags=-2147483648) at/src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125#9 0x0000736563803e66 in pam_authenticate (pamh=0x7365657f2000,flags=<optimized out>)at/src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69

#10 0x000000019e203ca9 in ?? ()
#11 0x000000019e2083cc in ?? ()
#12 0x000000019e20758d in ?? ()
#13 0x000000019e207c8c in ?? ()
#14 0x000000019e20a1ab in ?? ()
#15 0x000000019e202edd in ?? ()
#16 0x00007f7f3840bbb8 in ?? () from /usr/libexec/ld.elf_so
#17 0x0000000000000003 in ?? ()
#18 0x00007f7fff0729f0 in ?? ()
#19 0x00007f7fff072a08 in ?? ()
#20 0x00007f7fff072a0b in ?? ()
#21 0x0000000000000000 in ?? ()



Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12

#1 0x0000796d85cbbb4b in _strdup (str=0x736d6c616572 <error: Cannotaccess memory at address 0x736d6c616572>)

    at /src/work/10/src/lib/libc/string/strdup.c:60

#2 0x0000796d88081c17 in der_copy_general_string (from=<optimized out>,to=0x796d88a61390)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46#3 0x0000796d8804a104 in copy_PrincipalName(from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)

    at asn1_krb5_asn1.c:1019

#4 0x0000796d8804a4c5 in copy_Principal(from=from@entry=0x796d887d49a0, to=to@entry=0x796d88746220)

    at asn1_krb5_asn1.c:1160

#5 0x0000796d88443cb3 in krb5_copy_principal(context=context@entry=0x796d88764000, inprinc=0x796d887d49a0,

    outprinc=outprinc@entry=0x7f7fffbc60d8)

at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918#6 0x0000796d88447efd in mcc_get_principal (context=0x796d88764000,id=<optimized out>, principal=0x7f7fffbc60d8)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:329#7 0x0000796d83203bb9 in pam_sm_chauthtok () from/usr/lib/security/pam_krb5.so.4#8 0x0000796d86804cee in openpam_dispatch (pamh=0x796d88a61350,primitive=-2005468800, flags=-2147483648)at/src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125

#9  0x00000000eba03cbe in ?? ()
#10 0x00007f7fffbc6210 in ?? ()
#11 0x0000796d88a48000 in ?? ()
#12 0x00000000eba03a02 in ?? ()

#13 0x00007f7f5800800e in _rtld_symlook_obj_matched_symbol(vcount=<synthetic pointer>, vsymp=<synthetic pointer>,symnum=133511350964291, ventry=0xeba083cc, flags=<optimized out>,obj=0x7f7fffbc6800,name=0x7f7fffbc64d0 "rarnold") at/src/work/10/src/libexec/ld.elf_so/symbol.c:186#14 _rtld_symlook_obj_sysv (ventry=<optimized out>, flags=<optimizedout>, obj=0x7f7fffbc6800,hash=<optimized out>, name=0x7f7fffbc64d0 "rarnold") at/src/work/10/src/libexec/ld.elf_so/symbol.c:308#15 _rtld_symlook_obj (name=0x7f7fffbc64d0 "rarnold", hash=<optimizedout>, obj=0x7f7fffbc6800,flags=<optimized out>, ventry=0xeba083cc) at/src/work/10/src/libexec/ld.elf_so/symbol.c:391

#16 0x00007f7f00000000 in ?? ()
#17 0x0000000000000000 in ?? ()



Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12
(gdb) where
#0  0x0000796d85d9c091 in strlen () from /usr/lib/libc.so.12

#1 0x0000796d85cbbb4b in _strdup (str=0x74677462726b <error: Cannotaccess memory at address 0x74677462726b>)

    at /src/work/10/src/lib/libc/string/strdup.c:60

#2 0x0000796d88081c17 in der_copy_general_string (from=<optimized out>,to=0x796d88a613b0)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/asn1/der_copy.c:46#3 0x0000796d8804a104 in copy_PrincipalName(from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)

    at asn1_krb5_asn1.c:1019

#4 0x0000796d8804a4c5 in copy_Principal(from=from@entry=0x796d887d4c00, to=to@entry=0x796d887d48c0)

    at asn1_krb5_asn1.c:1160

#5 0x0000796d88443cb3 in krb5_copy_principal(context=context@entry=0x796d88764000,inprinc=inprinc@entry=0x796d887d4c00,outprinc=outprinc@entry=0x796d8875d5c0)at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/principal.c:918#6 0x0000796d88448587 in mcc_initialize (context=0x796d88764000,id=<optimized out>,primary_principal=0x796d887d4c00) at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/mcache.c:209#7 0x0000796d884654db in krb5_cc_initialize (context=<optimized out>,id=0x796d887d4b20,primary_principal=<optimized out>) at/src/work/10/src/crypto/external/bsd/heimdal/dist/lib/krb5/cache.c:677#8 0x0000796d8320284a in pam_sm_authenticate () from/usr/lib/security/pam_krb5.so.4#9 0x0000796d86804cee in openpam_dispatch(pamh=pamh@entry=0x796d88a48000, primitive=primitive@entry=0,flags=-2147483648) at/src/work/10/src/external/bsd/openpam/dist/lib/libpam/openpam_dispatch.c:125#10 0x0000796d86803e66 in pam_authenticate (pamh=0x796d88a48000,flags=<optimized out>)at/src/work/10/src/external/bsd/openpam/dist/lib/libpam/pam_authenticate.c:69

#11 0x00000000eba03ca9 in ?? ()
#12 0x00007f7fffbc6210 in ?? ()
#13 0x0000796d88a48000 in ?? ()
#14 0x00000000eba03a02 in ?? ()
#15 0x0000000000000000 in ?? ()


cheers
mark

Follow-Ups:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Brett Lymn
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

References:
- kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies

Prev by Date: 10.0_BETA/amd64 panic in inteldrm
Next by Date: Re: kerberos issues with 10.0_BETA post openssl update
Previous by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Next by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index