Ping? This should be a pretty quick one-line bugfix. Since this appears to be an upstream bug, I've added krb...@mit.edu to the CC list.
Kyle Moffett wrote: > At src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108, inside the > function "krb5_ldap_get_principal()": > > If "is_principal_in_realm()" fails, the code does not properly initialize > the variable "st" (IE: with KRB5_KDB_NOENTRY or something) before calling > krb5_set_error_message(). > > This can happen if the realm is "EXAMPLE.COM" and somebody types: > kinit u...@exmample.com (IE: case is not quite right). > > As a result, the krb5_ldap_get_principal() function returns 0 but leaves > the "client" pointer set to NULL. > > When it returns out to src/kdc/do_as_req.c:211, the process_as_req() code > assumes that it succeeded, and promptly dereferences "client", causing a > crash. > > The fix is to add a single line "st = KRB5_KDB_NOENTRY" into the file > ldap_principal2.c after this line: > > if (is_principal_in_realm(ldap_context, searchfor) != 0) { > > Cheers, > Kyle Moffett > > P.S: Out of curiosity, is there some reason why there are not packages > for krb5-kdc-dbg and krb5-admin-server-dbg, etc? That would make this > kind of troubleshooting much easier in the future. > > -- System Information: > Debian Release: wheezy/sid > APT prefers testing > APT policy: (700, 'testing'), (600, 'unstable'), (500, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages krb5-kdc depends on: > ii debconf [debconf-2.0] 1.5.38 Debian configuration management > sy > ii krb5-config 2.2 Configuration files for Kerberos > V > ii krb5-user 1.9+dfsg-1+debug01 Basic programs to authenticate > usi > ii libc6 2.11.2-11 Embedded GNU C Library: Shared > lib > ii libcomerr2 1.41.12-2 common error description library > ii libgssapi-krb5-2 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - > k > ii libgssrpc4 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - > G > ii libk5crypto3 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - > C > ii libkadm5clnt-mit8 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - > A > ii libkadm5srv-mit8 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - > K > ii libkdb5-5 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - > K > ii libkeyutils1 1.4-4 Linux Key Management Utilities > (li > ii libkrb5-3 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries > ii libkrb5support0 1.9+dfsg-1+debug01 MIT Kerberos runtime libraries - > S > ii lsb-base 3.2-27 Linux Standard Base 3.2 init > scrip > > krb5-kdc recommends no packages. > > Versions of packages krb5-kdc suggests: > ii krb5-admin-server 1.9+dfsg-1+debug01 MIT Kerberos master server > (kadmin > ii krb5-kdc-ldap 1.9+dfsg-1+debug01 MIT Kerberos key server (KDC) > LDAP > pn openbsd-inetd | inet- <none> (no description available) > > -- debconf information excluded > > -- System Information: > Debian Release: wheezy/sid > APT prefers testing > APT policy: (700, 'testing'), (700, 'stable'), (600, 'unstable'), (500, > 'stabl > e-updates'), (500, 'experimental') > Architecture: amd64 (x86_64) > > Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org