Edward Z. Yang wrote:
Excerpts from Rich Megginson's message of Fri Oct 08 18:59:52
-0400 2010:
> Try running with the SHELL (1024) debug error log level. This should
> give more information about the principal, keytab, etc. that directory
> server is using.
>
More logs:
[09/Oct/2010:04:29:48 -0400] - Listening on /var/run/dirsrv/slapd-scripts.socket for
LDAPI requests
[09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - Success: set up conn to
[better-mousetrap.mit.edu:389]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - The default credentials cache
[FILE:/tmp/krb5cc_485] not found: will create a new one.
[09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - configpluginpath == NULL
[09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - Success: set up conn to
[whole-enchilada.mit.edu:389]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using principal named
[ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU]
[09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - Success: set up conn to
[cats-whiskers.mit.edu:389]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - The default credentials cache
[FILE:/tmp/krb5cc_485] not found: will create a new one.
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using principal named
[ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - The default credentials cache
[FILE:/tmp/krb5cc_485] not found: will create a new one.
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using principal named
[ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using keytab named
[WRFILE:/etc/dirsrv/keytab]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using keytab named
[WRFILE:/etc/dirsrv/keytab]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using keytab named
[WRFILE:/etc/dirsrv/keytab]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Generated new memory ccache
[MEMORY:N0KZtwJ]
[09/Oct/2010:04:29:48 -0400] show_cached_credentials - Ticket cache: MEMORY:N0KZtwJ
Default principal: ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU
[09/Oct/2010:04:29:48 -0400] show_one_credential - Kerberos credential: client
[ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU] server [krbtgt/ATHENA.MIT.EDU(a)ATHENA.MIT.EDU]
start time [Sat Oct 9 04:30:00 2010] end time [Sun Oct 10 01:45:00 2010] renew time [Sun
Oct 10 04:29:49 2010] flags [0x50c00000]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Set new env for ccache:
[KRB5CCNAME=MEMORY:N0KZtwJ]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Generated new memory ccache
[MEMORY:fyHs1On]
[09/Oct/2010:04:29:48 -0400] show_cached_credentials - Ticket cache: MEMORY:fyHs1On
Default principal: ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU
[09/Oct/2010:04:29:48 -0400] show_one_credential - Kerberos credential: client
[ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU] server [krbtgt/ATHENA.MIT.EDU(a)ATHENA.MIT.EDU]
start time [Sat Oct 9 04:30:00 2010] end time [Sun Oct 10 01:45:00 2010] renew time [Sun
Oct 10 04:29:49 2010] flags [0x50c00000]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Set new env for ccache:
[KRB5CCNAME=MEMORY:fyHs1On]
[09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Generated new memory ccache
[MEMORY:aIeSCnz]
[09/Oct/2010:04:29:48 -0400] show_cached_credentials - Ticket cache: MEMORY:aIeSCnz
Default principal: ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU
[09/Oct/2010:04:29:48 -0400] show_one_credential - Kerberos credential: client
[ldap/old-faithful.mit.edu(a)ATHENA.MIT.EDU] server [krbtgt/ATHENA.MIT.EDU(a)ATHENA.MIT.EDU]
start time [Sat Oct 9 04:30:00 2010] end time [Sun Oct 10 01:45:00 2010] renew time [Sun
Oct 10 04:29:49 2010] flags [0x50c00000]
[09/Oct/2010:04:29:48 -0400] set_krb5_creds - Set new env for ccache:
[KRB5CCNAME=MEMORY:aIeSCnz]
[09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER
[09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER
[09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER
[09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER
[09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER
> What is the platform? Are you using a newer version of kerberos?
>
Fedora 13. We have the latest version of Kerberos with one custom patch:
Name : krb5-libs
Arch : x86_64
Version : 1.7.1
Release : 14.fc13.scripts.1671
Size : 1.7 M
Repo : installed
From repo : scripts
Summary : The shared libraries used by Kerberos 5
URL :
http://web.mit.edu/kerberos/www/
License : MIT
Description : Kerberos is a network authentication system. The krb5-libs package
: contains the shared libraries needed by Kerberos 5. If you are using
: Kerberos, you need to install this package.
that modifies src/lib/krb5/os/kuserok.c (which was not in the backtrace).
http://scripts.mit.edu/trac/browser/branches/fc13-dev/server/common/patch...
Cheers,
Edward
Thanks. Based upon this information and the stack traces you provided
(Thanks!) it looks like the directory server is freeing something in the
krb5_creds creds;
that it should not be. The errors look like double free or realloc of
already freed memory. I had to rely heavily on the 1.5 and 1.6 kerberos
code to make sure I was using krb5_get_init_creds_keytab() and
krb5_cc_store_cred() and krb5_free_cred_contents() correctly. It's
quite likely that I did not, and the later version of kerberos changed
something to "unmask" the problem. Please file a bug at
https://bugzilla.redhat.com/enter_bug.cgi?product=389 and please attach
your info and stack traces as attachments to the bug.