Hi Johan, you are the first one to notice :).
There was a time shortly before stable freeze when Heimdal team requested removal of heimdal from Debian (#837724), but instead this activity woke up the upstream, so they released new upstream version (#849706). Somewhere in between something went awry and the full Heimdal support wasn't properly reinstated into cyrus-sasl2. I am not sure whether this could be fixed in Debian stable as things might break with sudden change. Ccing debian-release for advice. Ondrej -- Ondřej Surý <ond...@sury.org> On Tue, Oct 31, 2017, at 08:33, Johan Wassberg wrote: > Package: libsasl2-modules-gssapi-heimdal > Version: 2.1.27~101-g0780600+dfsg-3 > Severity: important > > Dear Maintainer, > > I think something is fishy with the package > "libsasl2-modules-gssapi-heimdal". > I suspect that the package is built against MIT instead of Heimdal. > > Trying to migrate a Xenial machine to Stretch I noticed a difference in > behavior when using `saslauthd` in a Postfix chroot - configs that > haven't been required before was now required and `saslauthd` is > complaing about settings that I have never seen with our previous setup. > We > have always used the Heimdal Kerberos libraries and therefore always > used "libsasl2-modules-gssapi-heimdal" for `saslauthd`. > > Couldn't find any upstream changes in either Heimdal or Cyrus SASL which > would explain my issuses so I went digging in the Debian package > instead. > Found that Heimdal was ripped out from the package(s) in October 24 > 2016: > * 004977091b89363daa04301e89a045e7e2ffbad8 > * b9158ab7d2bc71a026d417982fee61bc854935f4 > * b334c34bce70f20d85ef0e86e79c6310b69f7345 > And added again on Dec 31: > * f382638d18a1e1e75560076d0cb1482e0b4dc613 > > Unfortunately the package(s) has moved a lot between removal and > reinstatement > so I can't get a clean diff over the changes. But I suspect that the > reinstatement didn't go as planned. > > From Jessie: > ``` > # dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > libsasl2-modules-gssapi-heimdal:amd64: > /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > > # ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > linux-vdso.so.1 (0x00007fffc877e000) > libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 > (0x00007fd5b206a000) > libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 > (0x00007fd5b1ddb000) > libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 > (0x00007fd5b1b2b000) > libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 > (0x00007fd5b1915000) > libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 > (0x00007fd5b16de000) > libcrypto.so.1.0.0 => > /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fd5b12e1000) > libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 > (0x00007fd5b10dd000) > libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 > (0x00007fd5b0ec6000) > libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd5b0b1a000) > libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 > (0x00007fd5b0911000) > libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 > (0x00007fd5b06dc000) > libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 > (0x00007fd5b04be000) > libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 > (0x00007fd5b0295000) > libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 > (0x00007fd5b0086000) > libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 > (0x00007fd5afe39000) > libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 > (0x00007fd5afb70000) > libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 > (0x00007fd5af96c000) > /lib64/ld-linux-x86-64.so.2 (0x00007fd5b24ba000) > > # strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep > "MIT|HEIM" > HEIMDAL_GSS_2.0 > ``` > > From Ubuntu Xenial: > ``` > # dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > libsasl2-modules-gssapi-heimdal:amd64: > /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > > # ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > linux-vdso.so.1 => (0x00007ffd967d4000) > libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 > (0x00007f818c61c000) > libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f818c252000) > libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 > (0x00007f818c048000) > libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 > (0x00007f818bdbe000) > libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 > (0x00007f818bb1c000) > libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 > (0x00007f818b917000) > libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 > (0x00007f818b6e4000) > libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 > (0x00007f818b4ce000) > libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 > (0x00007f818b2b0000) > /lib64/ld-linux-x86-64.so.2 (0x0000559426341000) > libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 > (0x00007f818b087000) > libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 > (0x00007f818ae78000) > libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 > (0x00007f818ac2c000) > libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 > (0x00007f818a957000) > libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 > (0x00007f818a71f000) > libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 > (0x00007f818a51a000) > libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 > (0x00007f818a2ff000) > > # strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep > "MIT|HEIM" > HEIMDAL_GSS_2.0 > ``` > > From Stretch: > ``` > # dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > libsasl2-modules-gssapi-heimdal:amd64: > /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > > # ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 > linux-vdso.so.1 (0x00007ffd97762000) > libgssapi_krb5.so.2 => > /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 > (0x00007f218ad06000) > libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 > (0x00007f218aa2c000) > libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 > (0x00007f218a7f9000) > libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 > (0x00007f218a5f5000) > libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 > (0x00007f218a3de000) > libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f218a03f000) > libkrb5support.so.0 => > /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 > (0x00007f2189e33000) > libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 > (0x00007f2189c2f000) > libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 > (0x00007f2189a2b000) > libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 > (0x00007f218980e000) > /lib64/ld-linux-x86-64.so.2 (0x00007f218b15a000) > > # strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep > "MIT|HEIM" > gssapi_krb5_2_MIT > ``` > > As you can see from my examples all the older dists seems to be built > against > Heimdal and contains HEIMDAL in the SO file but in Stretch the file now > contains > MIT and `ldd` gives no hint of any Heimdal libraries. This makes me think > that > "libsasl2-modules-gssapi-heimdal" is built again the wrong Kerberos > library. > > Let me know if there is any additional data I can provide in order to > straighten this issue. > > -- > jocar > > -- System Information: > Debian Release: 9.1 > APT prefers stable > APT policy: (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_GB.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL > set to en_US.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL > set to en_US.UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libsasl2-modules-gssapi-heimdal depends on: > ii libc6 2.24-11+deb9u1 > ii libcomerr2 1.43.4-2 > ii libgssapi-krb5-2 1.15-1+deb9u1 > ii libk5crypto3 1.15-1+deb9u1 > ii libkrb5-3 1.15-1+deb9u1 > ii libsasl2-modules 2.1.27~101-g0780600+dfsg-3 > > libsasl2-modules-gssapi-heimdal recommends no packages. > > libsasl2-modules-gssapi-heimdal suggests no packages. > > -- no debconf information > > _______________________________________________ > Pkg-cyrus-sasl2-debian-devel mailing list > pkg-cyrus-sasl2-debian-de...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-cyrus-sasl2-debian-devel