heimdal/mit-krb mix in ssh-krb5 via libnss-ldap
I got no luck lately and managed to make ssh-krb5 fail due to library
linkage weirdness. It took me ages to figure out what was going on!
(I learnt alot on the way, however.)
To reproduce the breakage:
1. install libsasl2-modules-gssapi-heimdal, libnss-ldap and ssh-krb5
(something else linked against libkrb53 may "work" as well);
2. configure /etc/nsswitch.conf to use ldap for some lookups;
3. configure /etc/ldap/ldap.conf or ~/.ldaprc to use SASL
authentication.
Then run ssh-krb5, linked with some mit-kerberos libraries. NSS pulls
LDAP, which pulls SASL, which pulls its heimdal GSSAPI module, which
pulls a lot of heimdal stuff. GDB shows them all when attach'ing to the
process. ssh-krb5's gssapi authentications spew out a few "debug1:
\n\n\n" lines and fail silently, which is more than graceful with such a
mess in place if you ask me :-P
The quick fix was to install MIT's gssapi SASL module rather than
heimdal's one. Surely a library wizard here can think of a better one,
or at least a specific (set of) package(s) to be blamed.
There must be a way to use an nss module without it's library
dependencies polluting what it's called from! In contrast sshd doesn't
experience such a thing while it's linked against the same MIT stuff and
pam, which uses both libpam-{ldap,heimdal} here. Maybe sasl or the nss
are improperly loading their modules?
Thanks for any hints before I get to source code...
--
Jeremie Koenig <sprite@sprite.fr.eu.org>
Reply to: