Date: Thu, 26 Feb 2009 08:39:00 -0500 From: Tom McLaughlin <tmclaugh@sdf.lonestar.org> To: Harti Brandt <harti@freebsd.org> Cc: current@freebsd.org Subject: Re: problem with nss_ldap Message-ID: <49A69B74.1080201@sdf.lonestar.org> In-Reply-To: <alpine.BSF.1.10.0901231858510.1173@knopdnsimu13l.kn.op.dlr.de> References: <E2F5A6372272F744859F67CB11ABC1110507D4@exbe05.intra.dlr.de> <alpine.BSF.1.10.0901231858510.1173@knopdnsimu13l.kn.op.dlr.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Harti Brandt wrote:
> On Sun, 18 Jan 2009, Hartmut.Brandt@dlr.de wrote:
>
>> Hi,
>>
>> for a year or so I had nss_ldap connected to an active directory (with openldap23-sasl-client) on a year-old current. Yesterday I've rebuilt everything and I started to get 'undefined symbols' (for example gss_equal_oid) when running any program needing pw or group entries. After some poking around I fixed these by adding -lgssapi to the Makefiles for libgssapi_krb5.so and libgssap_spnego.so. Now getent, local login and everything works fine, except cron and sshd.
Hi Harti, I'm setting up a -CURRENT vm right now with nss_ldap and have
an LDAP server which requires SASL. I use a global krb5 credentials
cache for nss_ldap as it appears you do. Last time I did this was right
around the time the latest heimdal was imported. My setup worked before
the import and broke afterwards. As I recall from talking to dfr@ (?)
libgssapi_{krb5,spnego} are just plugins for libgssapi. They should not
need to be linked against libgssapi and other things should not link
against them. I would like to see this fixed as libgssapi is intended
to be used. I just want to know what the proper fix is.
(Hey, just found the old conversation with dfr@ in my inbox but need to
read through the whole thing to figure out what's up.)
>>
>> Both create entries in /var/log/messages like:
>>
>> Jan 18 20:00:02 knopdnsimu13f cron[1495]: GSSAPI Error: Miscellaneous failure (see text)???????????????ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Z
> ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
>> Jan 18 20:00:02 knopdnsimu13f kernel: ZZZZZZZZZZZZZZZZ
>>
>> I've tried to figure out in which of the dozens of layered libraries (gss, sasl, ssl, ......) this error is generated but did not find anything.
>>
>> This is on amd64, krb5 enabled in pam, gssapi disabled in sshd_config (as I said, this worked before).
>
> So to answer my own mail: I made a link from the kerberos ticket file
> which contains the host ticket (and is specified in nss_ldap.conf) to
> /tmp/krb5cc_0. I've no idea why this is suddenly necessary, though.
There may be an issue with the env method used in nss_ldap to change the
credentials cache. My mind is fuzzy but I do recall a similar issue but
don't remember the exact cause or case. nss_ldap has a second
configurable ccname method which when I submitted the original patch I
intended to switch to once we had a newer heimdal. Once I get nss_ldap
working on my box I intend to submit another patch.
tom
--
| tmclaugh at sdf.lonestar.org tmclaugh at FreeBSD.org |
| FreeBSD http://www.FreeBSD.org |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49A69B74.1080201>