Bug#572524: libnss-ldap: Broken Kerberos keytab support

Birger Brunswiek Thu, 04 Mar 2010 09:58:02 -0800

Package: libnss-ldap
Version: 261-2.1
Severity: normal
Tags: patch

I noticed that Kerberos keytab support was commented out in the debian/rules
file. When I enabled the feature by enabling the commented line, I found
that this doesn't really help.


Digging further into the code I found the source of the problem to be a
mismatch of the actual and the expected output of the krb5_kt_get_name()
function. The current code expects a file name, whereas the function returns
the name including the 'FILE:' prefix. I wrote a patch to fix the issue.

I use the following configuration in /etc/libnss-ldap.conf
use_sasl yes
krb5_usekeytab 1
krb5_autorenew 1
krb5_keytabname FILE:/etc/krb5.keytab
sasl_auth_id host/<fqdn>@<REALM>

--- nss_ldap-261.orig/ldap-init-krb5-cache.c    2008-07-03 04:32:10.000000000 
+0200
+++ nss_ldap-261/ldap-init-krb5-cache.c 2010-03-04 18:04:22.000000000 +0100
@@ -236,9 +236,11 @@
              setregid (egid, rgid);
            }
          krb5_kt_get_name (context, __keytab, buf, KT_PATH_MAX);
+      /* Skip the 'FILE:' prefix*/
+      char *filename = buf + 5;
          debug ("==> krb5_cache_kt_is_accessible: kt_get_name gives %s",
-                buf);
-         code = access (buf, R_OK);
+                filename);
+         code = access (filename, R_OK);
          if (ruid != euid)
            {
              setreuid (ruid, euid);

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-ldap depends on:
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  libc6           2.7-18lenny2             GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny2 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1+lenny1          OpenLDAP libraries
ii  libsasl2-2      2.1.22.dfsg1-23+lenny1   Cyrus SASL - authentication abstra

Versions of packages libnss-ldap recommends:
pn  libpam-ldap                 <none>       (no description available)
ii  nscd                        2.7-18lenny2 GNU C Library: Name Service Cache 

libnss-ldap suggests no packages.

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Bug#572524: libnss-ldap: Broken Kerberos keytab support

Reply via email to