kerberos issues with 10.0_BETA post openssl update

To: current-users%netbsd.org@localhost
Subject: kerberos issues with 10.0_BETA post openssl update
From: Mark Davies <mark%ecs.vuw.ac.nz@localhost>
Date: Mon, 4 Sep 2023 16:46:35 +1200

Having updated from a 10.0_BETA built in march to one built couple ofweeks ago (post the openssl3 merge) I'm now seeing various kerberosissues that I wasn't seeing before.


1.  pam_ksu not working

On an old system su gets a kerberos specific password prompt:

www-cache% su
mark/root%ECS.VUW.AC.NZ@localhost's password:

On a new system drops straight through to the no kerberos prompt

smb2% su
Password:


with pam debug enabled on the pam_ksu module the old system prints:

www-cache su: in openpam_dispatch(): calling pam_sm_authenticate() in/usr/lib/security/pam_ksu.so.4

www-cache su: in pam_sm_authenticate(): Got user: root
www-cache su: in pam_sm_authenticate(): Got ruser: mark

www-cache su: in get_su_principal(): Default principal name:mark%ECS.VUW.AC.NZ@localhostwww-cache su: in get_su_principal(): Target principal name:mark/root%ECS.VUW.AC.NZ@localhostwww-cache su: in pam_sm_authenticate(): kuserok: mark/root%ECS.VUW.AC.NZ@localhost-> root


but the new system:

smb2 su: in openpam_dispatch(): calling pam_sm_authenticate() in/usr/lib/security/pam_ksu.so.4

smb2 su: in pam_sm_authenticate(): Got user: root
smb2 su: in pam_sm_authenticate(): Got ruser: mark
smb2 su: in get_su_principal(): Default principal name: mark%ECS.VUW.AC.NZ@localhost

smb2 su: in get_su_principal(): Target principal name:mark/root%ECS.VUW.AC.NZ@localhost

smb2 su: in pam_sm_authenticate(): kuserok: mark/root%ECS.VUW.AC.NZ@localhost -> root

smb2 su: in openpam_dispatch(): /usr/lib/security/pam_ksu.so.4:pam_sm_authenticate(): Authentication error




2.  ktutil causes kadmind to segfault.

A command such as
  ktutil -k /tmp/k.keytab get -p mark/admin host/xx.ecs.vuw.ac.nz

fails to work. Gets the error
   ktutil: kadm5_create_principal(host/xx.ecs.vuw.ac.nz): End of file

because the kadmind on the kerberos server  segfaults

(No debugging symbols found in /usr/libexec/kadmind)
[New process 3300]
Core was generated by `kadmind'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000000000000000 in ?? ()
(gdb) where
#0  0x0000000000000000 in ?? ()
#1  0x000073f5d68423d4 in ?? () from /usr/lib/libkrb5.so.27

#2 0x000073f5d6841531 in krb5_string_to_key_data_salt () from/usr/lib/libkrb5.so.27#3 0x000073f5d7011d25 in hdb_generate_key_set_password_with_ks_tuple ()from /usr/lib/libhdb.so.15

#4  0x000073f5d740ef90 in _kadm5_set_keys () from /usr/lib/libkadm5srv.so.15

#5 0x000073f5d7409eb0 in kadm5_s_create_principal () from/usr/lib/libkadm5srv.so.15

#6  0x00000000058078df in kadmind_dispatch.isra ()
#7  0x00000000058084f3 in kadmind_loop ()
#8  0x0000000005809323 in main ()

3. pam_krb5 will seemingly randomly die while validating perfectlyvalid username/password pairs.

Both dovecot's auth and saslauthd (configured to do pam, and pam to dopam_krb5) would get segmentation faults processing some connectionswhile others (giving the same credentials) would succeed.


    [...]

Sep 3 19:33:05 mail1 dovecot: auth: Error: auth-worker: Aborted PASSVrequest for mark: Worker process died unexpectedlySep 3 19:33:25 mail1 dovecot: auth: Error: auth-worker: Aborted PASSVrequest for xxx: Worker process died unexpectedlySep 3 19:33:43 mail1 dovecot: auth: Error: auth-worker: Aborted PASSVrequest for yyy: Worker process died unexpectedly

    [...]

       [...]

Sep 03 19:33:04 auth: Debug: client passdb out: OK 1user=markSep 03 19:33:04 auth: Debug: client passdb out: OK 1user=markSep 03 19:33:07 auth: Debug: client passdb out: FAIL 1user=mark code=temp_failSep 03 19:33:09 auth: Debug: client passdb out: OK 1user=markSep 03 19:33:25 auth: Debug: client passdb out: OK 1 user=zzzSep 03 19:33:27 auth: Debug: client passdb out: FAIL 1 user=xxxcode=temp_failSep 03 19:33:45 auth: Debug: client passdb out: FAIL 1 user=yyycode=temp_fail

       [...]

I didn't get a coredump from dovecot before I had to roll back thatmachine to the older system but I did get one from saslauthd


Core was generated by `saslauthd'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x0000736565442b9f in ?? () from /usr/lib/libkrb5.so.27
(gdb) where
#0  0x0000736565442b9f in ?? () from /usr/lib/libkrb5.so.27
#1  0x0000736565442cc0 in ?? () from /usr/lib/libkrb5.so.27

#2 0x00007365654429ec in krb5_error_from_rd_error () from/usr/lib/libkrb5.so.27#3 0x000073656542cf22 in krb5_init_creds_step () from/usr/lib/libkrb5.so.27

#4  0x000073656542de98 in krb5_init_creds_get () from /usr/lib/libkrb5.so.27

#5 0x000073656542b963 in krb5_get_init_creds_password () from/usr/lib/libkrb5.so.27#6 0x000073656020279b in pam_sm_authenticate () from/usr/lib/security/pam_krb5.so.4

#7  0x0000736563804cee in openpam_dispatch () from /usr/lib/libpam.so.4
#8  0x0000736563803e66 in pam_authenticate () from /usr/lib/libpam.so.4
#9  0x000000019e203ca9 in ?? ()
#10 0x000000019e2083cc in ?? ()
#11 0x000000019e20758d in ?? ()
#12 0x000000019e207c8c in ?? ()
#13 0x000000019e20a1ab in ?? ()
#14 0x000000019e202edd in ?? ()
#15 0x00007f7f3840bbb8 in ?? () from /usr/libexec/ld.elf_so
#16 0x0000000000000003 in ?? ()
#17 0x00007f7fff0729f0 in ?? ()
#18 0x00007f7fff072a08 in ?? ()
#19 0x00007f7fff072a0b in ?? ()
#20 0x0000000000000000 in ?? ()




Any suggestions?

cheers
mark

Follow-Ups:
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Mark Davies
- Re: kerberos issues with 10.0_BETA post openssl update
  - From: Taylor R Campbell

Prev by Date: daily CVS update output
Next by Date: Re: kerberos issues with 10.0_BETA post openssl update
Previous by Thread: Call for testing: certctl, postinstall, TLS trust anchors
Next by Thread: Re: kerberos issues with 10.0_BETA post openssl update
Indexes:

Home | Main Index | Thread Index | Old Index