If I try to change the user password on a client with kpasswd, /etc/init.d/heimdal-kpasswdd crashes on the heimdal-server with: /var/log/kernel: nz00100 kernel: kpasswdd[26419]: segfault at 0 ip 00000000 sp bfbb51dc error 4 in kpasswdd[8048000+5000] password-dialog on client: test1@nz23039 ~ $ kpasswd test1@FBI.UKL.UNI-FREIBURG.DE's Password: New password: Verify password - New password: kpasswd: krb5_set_password_using_ccache: Unable to reach any changepw server in realm FBI.UKL.UNI-FREIBURG.DE test1@nz23039 ~ $ Reproducible: Always Steps to Reproduce: 1. ugrade to heimdal version 1.3.3-r1 2. /etc/init.d/heimdal-kpasswdd start 3. try to change the user password with kpasswd Actual Results: kpasswdd server crashes Expected Results: kpasswdd should work properly Only I can say that kpasswd on the same system with haimdal-0.7.x, any years ago, has worked well with the same heimdal and openldap configuration.
Created attachment 249168 [details] emerge --info
Created attachment 249169 [details] krb5.conf
Created attachment 249170 [details] kdc.conf
Created attachment 249172 [details] strace kpasswdd
Can you get a backtrace? http://www.gentoo.org/proj/en/qa/backtraces.xml
(In reply to comment #5) > Can you get a backtrace? > http://www.gentoo.org/proj/en/qa/backtraces.xml > Sorry, I can only try to get a backtrace on a testing system (with the same error and the same heimdal- and openldap-version and configuration) this week.
Created attachment 249716 [details] backtrace with bt
Created attachment 249717 [details] backtrace with bt full
I can't reproduce it and I've tried. Asking upstream for input.
Created attachment 249810 [details, diff] db_create.patch Can you please try the attached patch? Thanks.
(In reply to comment #10) > Created an attachment (id=249810) [details] > db_create.patch > > Can you please try the attached patch? Thanks. > Sorry, no success with this patch, the error is the same as before. I have tested this patch on the testing and original system.
What is your version of sys-libs/db? Any change in behaviour if you upgrade to latest stable running revdep-rebuild afterwards?
The above should have read: ...upgrade to latest stable sys-libs/db version and running revdep-rebuild afterwards?
(In reply to comment #13) > The above should have read: > > ...upgrade to latest stable sys-libs/db version and running revdep-rebuild > afterwards? > It is not just a version of sys-libs/db on the system: hg # epm -qa|grep db- db-4.5.20_p2-r1 db-1.85-r3 db-4.2.52_p2-r1 db-3.2.9-r11 db-4.3.29-r2 db-4.8.30 hg # The version db-4.5.20_p2-r1 is stable and is used by openldap.
Ugh. You are probbly linking against one version of db and running against another. Hence, the segfault. 2 alternatives if I am right: 1. Prune sys-libs/db and recompile heimdal (and others software depending on sys-libs/db). revdep-rebuild should help here. 2. Use the ebuild in bug #333341 which hacks around the issue. Next version of heimdal will include a proper fix for this issue: http://github.com/heimdal/heimdal/commit/a1c14b231996ebd72de69df1de472f08e82c2288
(In reply to comment #15) > Ugh. You are probbly linking against one version of db and running against > another. Hence, the segfault. 2 alternatives if I am right: > > 1. Prune sys-libs/db and recompile heimdal (and others software depending on > sys-libs/db). revdep-rebuild should help here. > 2. Use the ebuild in bug #333341 which hacks around the issue. > > Next version of heimdal will include a proper fix for this issue: > http://github.com/heimdal/heimdal/commit/a1c14b231996ebd72de69df1de472f08e82c2288 > Before I could read your reply to comment #15, I have unmerged all versions of db except db-4.5 and db-4.8. I have tried to unmerge db-4.5 too but re-emerge of openldap installed automatically db-4.5 again. After rebuild of many packages and revdep-rebuild and reboot there is a new situation: test1@nz00100 / $ kpasswd test1@FBI.UKL.UNI-FREIBURG.DE's Password: New password: Verify password - New password: Auth error : Authentication failed test1@nz00100 / $ - from syslog: ::: Oct 8 23:18:04 nz00100 kdc[25754]: AS-REQ test1@FBI.UKL.UNI-FREIBURG.DE from IPv4:192.168.178.201 for kadmin/changepw@FBI.UKL.UNI-FREIBURG.DE Oct 8 23:18:04 nz00100 kdc[25754]: No preauth found, returning PREAUTH-REQUIRED -- test1@FBI.UKL.UNI-FREIBURG.DE Oct 8 23:18:04 nz00100 kdc[25754]: sending 265 bytes to IPv4:192.168.178.201 Oct 8 23:18:04 nz00100 kdc[25754]: AS-REQ test1@FBI.UKL.UNI-FREIBURG.DE from IPv4:192.168.178.201 for kadmin/changepw@FBI.UKL.UNI-FREIBURG.DE Oct 8 23:18:04 nz00100 kdc[25754]: Client sent patypes: encrypted-timestamp Oct 8 23:18:04 nz00100 kdc[25754]: Looking for ENC-TS pa-data -- test1@FBI.UKL.UNI-FREIBURG.DE Oct 8 23:14:49 nz00100 kdc[25754]: ENC-TS Pre-authentication succeeded -- test1@FBI.UKL.UNI-FREIBURG.DE using arcfour-hmac-md5 Oct 8 23:14:49 nz00100 kdc[25754]: Client supported enctypes: des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96, using arcfour-hmac-md5/aes256-cts-hmac-sha1-96 Oct 8 23:14:49 nz00100 kdc[25754]: AS-REQ authtime: 2010-10-08T23:14:49 starttime: unset endtime: 2010-10-08T23:19:47 renew till: unset Oct 8 23:14:49 nz00100 kdc[25754]: sending 685 bytes to IPv4:192.168.178.201 Oct 8 23:14:52 nz00100 kpasswdd[311]: krb5_rd_req: Key table entry not found Oct 8 23:14:52 nz00100 kpasswdd[311]: krb5_rd_req: Key table entry not found and kpasswdd no longer crashes! But have you a solution or a clue for "krb5_rd_req: Key table entry not found"?
It is usually a wrong keytab, wrong principal or wrong permissions on the keytab. Make sure * kpasswdd is looking at the correct keytab and the principal exists in the database * kinit/klist works with the correct keytab (you can use the -c option to test) * kpasswd is using the correct keytab (again use the -c option) * kadmin/changepw principal has the correct attributes and can access the database * some other stuff that I cannot think of at the moment [...] This is a configuration error.
(In reply to comment #17) > It is usually a wrong keytab, wrong principal or wrong permissions on the > keytab. Make sure > > * kpasswdd is looking at the correct keytab and the principal exists in the > database > * kinit/klist works with the correct keytab (you can use the -c option to test) > * kpasswd is using the correct keytab (again use the -c option) > * kadmin/changepw principal has the correct attributes and can access the > database > * some other stuff that I cannot think of at the moment > [...] > > This is a configuration error. > Thank you for your hints! I have tested and the following discovered: * I must extract a keytab from ldap db (at least with kadmin/changepw key entry) and provide them for kpasswdd because kpasswdd ignored the default or a special command also like "default_keytab_name=" in krb5.conf. * I must start kpasswdd explicitly with the path of the keytab: /usr/sbin/kpasswdd -k ... Then works kpasswd properly wihout errors! I think that kpasswdd does not know the full configuration of heimdal as defined in krb5.conf/kdc.conf with ldap db as backand. I have not found until now a solution to start kpasswdd with the necessary --keytab parameter in /etc/init.d/heimdal-kpasswdd.
(In reply to comment #18) > I have not found until now a solution to start kpasswdd with the necessary > --keytab parameter in /etc/init.d/heimdal-kpasswdd. Aye, we don't have one. I will add a conf.d file with the next bump of heimdal so that we can pass parameters to the daemons when they start with their init scripts.
(In reply to comment #19) > (In reply to comment #18) > > I have not found until now a solution to start kpasswdd with the necessary > > --keytab parameter in /etc/init.d/heimdal-kpasswdd. > > Aye, we don't have one. I will add a conf.d file with the next bump of heimdal > so that we can pass parameters to the daemons when they start with their init > scripts. > Thanks for the support and the good news! I think that the bug can be closed.
*heimdal-1.4.1_pre20110216 (16 Feb 2011) 16 Feb 2011; Eray Aslan <eras@gentoo.org> +heimdal-1.4.1_pre20110216.ebuild, +files/heimdal-kadmind.confd, +files/heimdal-kadmind.initd-r1, +files/heimdal-kcm.confd, +files/heimdal-kcm.initd-r1, +files/heimdal-kdc.confd, +files/heimdal-kdc.initd-r1, +files/heimdal-kpasswdd.confd, +files/heimdal-kpasswdd.initd-r1, +files/heimdal_link_order.patch: Version bump. Dropped m68k bug #324097. Dropped s390 and sh bug #355253. Double blocker to mit-krb5 bug #296610. Better support for sys-libs/db bug #333341. Added confd options bug #339340.