[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

heimdal/mit-krb mix in ssh-krb5 via libnss-ldap

I got no luck lately and managed to make ssh-krb5 fail due to library
linkage weirdness. It took me ages to figure out what was going on!
(I learnt alot on the way, however.)

To reproduce the breakage:
 1. install libsasl2-modules-gssapi-heimdal, libnss-ldap and ssh-krb5
    (something else linked against libkrb53 may "work" as well);
 2. configure /etc/nsswitch.conf to use ldap for some lookups;
 3. configure /etc/ldap/ldap.conf or ~/.ldaprc to use SASL

Then run ssh-krb5, linked with some mit-kerberos libraries. NSS pulls
LDAP, which pulls SASL, which pulls its heimdal GSSAPI module, which
pulls a lot of heimdal stuff. GDB shows them all when attach'ing to the
process. ssh-krb5's gssapi authentications spew out a few "debug1:
\n\n\n" lines and fail silently, which is more than graceful with such a
mess in place if you ask me :-P

The quick fix was to install MIT's gssapi SASL module rather than
heimdal's one. Surely a library wizard here can think of a better one,
or at least a specific (set of) package(s) to be blamed.

There must be a way to use an nss module without it's library
dependencies polluting what it's called from! In contrast sshd doesn't
experience such a thing while it's linked against the same MIT stuff and
pam, which uses both libpam-{ldap,heimdal} here. Maybe sasl or the nss
are improperly loading their modules?

Thanks for any hints before I get to source code...

Jeremie Koenig <sprite@sprite.fr.eu.org>

Reply to: