Re: [the perfectly harmless] heimdal/mit-krb mix in ssh-krb5 via libnss-ldap
On Thu, Jun 16, 2005 at 03:44:41PM +0200, Jeremie Koenig wrote:
> I got no luck lately and managed to make ssh-krb5 fail due to library
> linkage weirdness. It took me ages to figure out what was going on!
> (I learnt alot on the way, however.)
> To reproduce the breakage:
> 1. install libsasl2-modules-gssapi-heimdal, libnss-ldap and ssh-krb5
> (something else linked against libkrb53 may "work" as well);
> 2. configure /etc/nsswitch.conf to use ldap for some lookups;
> 3. configure /etc/ldap/ldap.conf or ~/.ldaprc to use SASL
Actually this is all crap, the libraries are fine. Sorry everybody for
the noise, especially Russ for the extra wasted brain and finger cycles.
Here's what happens if you wonder: the real problem is that libkrb53
recognizes comments only when # is the first character of a line, while
heimdal libraries allows some leading whitespace.
The heimdal plugin is much appropriately loaded via dlopen without the
RTLD_GLOBAL flag and its namespace is disjoint from the main one. The
name service switch probably does something similar with libnss-ldap, so
we may even have two levels of isolation. Besides, the libraries are
used for two completely different things.
I'm still not completely understanding how I have been able to come up
with this library clash "evidence" (maybe I just needed a culprit.)
The sensible thing I'm going to do now is reporting a wishlist bug
against libkrb53 to tolerate whitespace and a minor one against ssh-krb5
for the crappy debug lines.
Jeremie Koenig <email@example.com>