Bug#396672: marked as done (libnss-ldap: Fails on unreadable KerberosV cache for GSSAPI auth)

Sat, 20 Oct 2007 17:37:34 -0700 

Your message dated Sun, 21 Oct 2007 00:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#396672: fixed in libnss-ldap 258-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libnss-ldap
Version: 251-5.2
Severity: normal
Tags: patch


Suppose I want to use krb5_ccname and SASL, so I can have a host
authenticate with its host principal from a keytab. However, I don't want
normal users to be able to read the host principal keytab; I just want
libnss-ldap to use their own kerberos credentials. If I specify krb5_ccname
in /etc/libnss-ldap.conf, and the file is not readable to the user, it just
fails. This patch makes libnss-ldap attempt to try authenticating again with
the unchanged ccache if the modified ccache fails for whatever reason. It
appears to work on a test machine. (I.e. it falls back to user credentials if
the krb5_ccname credentials fail.)

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-3-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libnss-ldap depends on:
ii  debconf [debconf-2.0]       1.5.7        Debian configuration management sy
ii  libc6                       2.3.6.ds1-4  GNU C Library: Shared libraries
ii  libkrb53                    1.4.4-3      MIT Kerberos runtime libraries
ii  libldap2                    2.1.30-13+b1 OpenLDAP libraries

Versions of packages libnss-ldap recommends:
ii  libpam-ldap                   180-1.2    Pluggable Authentication Module al
pn  nscd                          <none>     (no description available)

-- debconf information excluded

diff -Nru libnss-ldap-251.orig/ldap-nss.c libnss-ldap-251/ldap-nss.c
--- libnss-ldap-251.orig/ldap-nss.c	2006-10-28 23:56:13.000000000 -0500
+++ libnss-ldap-251/ldap-nss.c	2006-10-28 23:57:00.942203744 -0500
@@ -1879,6 +1879,20 @@
       rc = ldap_sasl_interactive_bind_s (ld, dn, "GSSAPI", NULL, NULL,
 					 LDAP_SASL_QUIET,
 					 do_sasl_interact, (void *) pw);
+# if defined(CONFIGURE_KRB5_CCNAME) && defined(CONFIGURE_KRB5_CCNAME_GSSAPI)
+      if (rc != LDAP_SUCCESS && oldccname != NULL)
+        {
+	  if (gss_krb5_ccache_name (&retval, oldccname, NULL) !=
+	      GSS_S_COMPLETE)
+	    {
+	      debug ("do_bind: unable to set default credential cache");
+	      return -1;
+	    }
+	  rc = ldap_sasl_interactive_bind_s (ld, dn, "GSSAPI", NULL, NULL,
+	                                     LDAP_SASL_QUIET,
+					     do_sasl_interact, (void *)pw);
+	}
+# endif
       
 # ifdef CONFIGURE_KRB5_CCNAME
       /* Restore default Kerberos ticket cache. */

--- End Message ---
--- Begin Message --- 
Source: libnss-ldap
Source-Version: 258-1

We believe that the bug you reported is fixed in the latest version of
libnss-ldap, which is due to be installed in the Debian FTP archive:

libnss-ldap_258-1.diff.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_258-1.diff.gz
libnss-ldap_258-1.dsc
  to pool/main/libn/libnss-ldap/libnss-ldap_258-1.dsc
libnss-ldap_258-1_amd64.deb
  to pool/main/libn/libnss-ldap/libnss-ldap_258-1_amd64.deb
libnss-ldap_258.orig.tar.gz
  to pool/main/libn/libnss-ldap/libnss-ldap_258.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Richard A Nelson (Rick) <[EMAIL PROTECTED]> (supplier of updated libnss-ldap 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----

Format: 1.7
Date: Sat, 20 Oct 2007 22:28:00 -0000
Source: libnss-ldap
Binary: libnss-ldap
Architecture: source amd64
Version: 258-1
Distribution: unstable
Urgency: low
Maintainer: Richard A Nelson (Rick) <[EMAIL PROTECTED]>
Changed-By: Richard A Nelson (Rick) <[EMAIL PROTECTED]>
Description: 
 libnss-ldap - NSS module for using LDAP as a naming service
Closes: 396672 408440 411923 425379
Changes: 
 libnss-ldap (258-1) unstable; urgency=low
 .
   * New upstream release
     - replacement code for Kerbeors SASL operations    closes: #396672
     - nss_ldap constructs LDAP URIs incorrectly        closes: #425379
   * drop patches applied upstream
     - 00ignore_sigpipe_h.patch
     - 00ignore_sigpipe_c.patch
   * Fix the config file miss-edit (host vs uri)  closes: #408440, #411923
Files: 
 37df919a94b99c02d10dda1e1722319e 801 net extra libnss-ldap_258-1.dsc
 a21ad7585566a98cc5d5bdb1c1f36ebb 273859 net extra libnss-ldap_258.orig.tar.gz
 4a285ef69c60f9c3b32d2b91ee8f944e 48088 net extra libnss-ldap_258-1.diff.gz
 f43411e911ba2c78d230cc0c00da0157 110138 net extra libnss-ldap_258-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBRxqbvqVTksHk9ElFAQHSlwQAgPMg5t7+hKmLfgS4PAy7quMsFe3wuy3P
pj4lECJRESahwflT2G4e2fCQK7VMhpFjGZ+cIjQyZwSnAJY1mwjvXeFMsODLbtrC
p6l0v1nBay7gBRJfojRB9doz/3rF2AuzPdXh3bncdJ1bBpLwgyLAO9hODxTxEusM
Pe4+cLxJT7g=
=6T0r
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to