Package: libsasl2-modules-gssapi-mit
Version: 2.1.25.dfsg1-6
Severity: important

Dear Maintainer,

We are starting the process of upgrading our LDAP service to OpenLDAP
2.4.34 on wheezy.  None of the Java applications that we have tested
can connect to the LDAP server using GSSAPI.

In the server log we see:

% grep conn=142291 /var/log/ldap
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 ACCEPT from 
IP=171.64.19.165:44175 (IP=0.0.0.0:389)
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 BIND dn="" method=163
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 RESULT tag=97 err=14 
text=SASL(0): successful result: 
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND dn="" method=163
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND 
authcid="w...@stanford.edu" authzid="w...@stanford.edu"
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND 
dn="uid=whm,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI sasl_ssf=56 ssf=56
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 RESULT tag=97 err=0 
text=
Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 closed (connection 
lost)

The client failure traceback from a small test program is on Java 
1.7.0_03 is:

Exception in thread "main" java.lang.NegativeArraySizeException
        at 
sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367)
        at 
sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722)
        at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200)
        at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:851)
        at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385)
        at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103)
        at 
com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414)
        at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547)
        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847)
        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772)
        at 
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
        at 
javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
        at TestPersonQuery.performJndiOperation(TestLDAP.java:109)
        at TestPersonQuery.run(TestLDAP.java:80)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:356)
        at TestLDAP.main(TestLDAP.java:53)

The failure from Apache Directory Studio on Java 1.6.0_27 is
slightly different:

  java.lang.ArrayIndexOutOfBoundsException: 9
  at sun.security.jgss.krb5.WrapToken.getPadding(WrapToken.java:395)
  at sun.security.jgss.krb5.WrapToken.<init>(WrapToken.java:406)
  at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:826)
  at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:384)
  at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103)
  at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89)
  at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:408)
  at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:383)
  at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
  at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1975)
  at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
  at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
  at 
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
  at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
  at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$1.run(JNDIConnectionWrapper.java:356)
  at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
  at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203)
  at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.search(JNDIConnectionWrapper.java:398)
  at 
org.apache.directory.studio.ldapbrowser.core.jobs.SearchRunnable.search(SearchRunnable.java:500)
  at 
org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.getSchemaLocation(ReloadSchemaRunnable.java:266)
  at 
org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.reloadSchema(ReloadSchemaRunnable.java:147)
  at 
org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.openBrowserConnection(BrowserConnectionListener.java:115)
  at 
org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.connectionOpened(BrowserConnectionListener.java:65)
  at 
org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.runNotification(OpenConnectionsRunnable.java:132)
  at 
org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:120)
  at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)

On the client we have tried sun-java6, openjdk-6, and openjdk-7 with
the similiar failures.

We do not see this problem on our squeeze systems using version
2.1.23.dfsg1-8 of libsasl2-modules-gssapi-mit.  

We do see the same problem if we use libsasl2-modules-gssapi-heimdal
instead of libsasl2-modules-gssapi-mit.

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsasl2-modules-gssapi-mit depends on:
ii  libc6             2.13-38
ii  libcomerr2        1.42.5-1
ii  libgssapi-krb5-2  1.10.1+dfsg-4
ii  libk5crypto3      1.10.1+dfsg-4
ii  libkrb5-3         1.10.1+dfsg-4
ii  libsasl2-modules  2.1.25.dfsg1-6
ii  libssl1.0.0       1.0.1e-1

libsasl2-modules-gssapi-mit recommends no packages.

libsasl2-modules-gssapi-mit suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to