Package: libsasl2-modules-gssapi-mit Version: 2.1.25.dfsg1-6 Severity: important
Dear Maintainer, We are starting the process of upgrading our LDAP service to OpenLDAP 2.4.34 on wheezy. None of the Java applications that we have tested can connect to the LDAP server using GSSAPI. In the server log we see: % grep conn=142291 /var/log/ldap Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 ACCEPT from IP=171.64.19.165:44175 (IP=0.0.0.0:389) Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 BIND dn="" method=163 Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=0 RESULT tag=97 err=14 text=SASL(0): successful result: Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND dn="" method=163 Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND authcid="w...@stanford.edu" authzid="w...@stanford.edu" Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 BIND dn="uid=whm,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI sasl_ssf=56 ssf=56 Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 op=1 RESULT tag=97 err=0 text= Mar 15 01:12:36 ldap-dev2 slapd[22102]: conn=142291 fd=16 closed (connection lost) The client failure traceback from a small test program is on Java 1.7.0_03 is: Exception in thread "main" java.lang.NegativeArraySizeException at sun.security.jgss.krb5.CipherHelper.aes256Encrypt(CipherHelper.java:1367) at sun.security.jgss.krb5.CipherHelper.encryptData(CipherHelper.java:722) at sun.security.jgss.krb5.WrapToken_v2.<init>(WrapToken_v2.java:200) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:851) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:385) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:547) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1847) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1772) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at TestPersonQuery.performJndiOperation(TestLDAP.java:109) at TestPersonQuery.run(TestLDAP.java:80) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) at TestLDAP.main(TestLDAP.java:53) The failure from Apache Directory Studio on Java 1.6.0_27 is slightly different: java.lang.ArrayIndexOutOfBoundsException: 9 at sun.security.jgss.krb5.WrapToken.getPadding(WrapToken.java:395) at sun.security.jgss.krb5.WrapToken.<init>(WrapToken.java:406) at sun.security.jgss.krb5.Krb5Context.wrap(Krb5Context.java:826) at sun.security.jgss.GSSContextImpl.wrap(GSSContextImpl.java:384) at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(GssKrb5Base.java:103) at com.sun.jndi.ldap.sasl.SaslOutputStream.write(SaslOutputStream.java:89) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:408) at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:383) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1975) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356) at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$1.run(JNDIConnectionWrapper.java:356) at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272) at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.checkConnectionAndRunAndMonitor(JNDIConnectionWrapper.java:1203) at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.search(JNDIConnectionWrapper.java:398) at org.apache.directory.studio.ldapbrowser.core.jobs.SearchRunnable.search(SearchRunnable.java:500) at org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.getSchemaLocation(ReloadSchemaRunnable.java:266) at org.apache.directory.studio.ldapbrowser.core.jobs.ReloadSchemaRunnable.reloadSchema(ReloadSchemaRunnable.java:147) at org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.openBrowserConnection(BrowserConnectionListener.java:115) at org.apache.directory.studio.ldapbrowser.core.BrowserConnectionListener.connectionOpened(BrowserConnectionListener.java:65) at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.runNotification(OpenConnectionsRunnable.java:132) at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:120) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55) On the client we have tried sun-java6, openjdk-6, and openjdk-7 with the similiar failures. We do not see this problem on our squeeze systems using version 2.1.23.dfsg1-8 of libsasl2-modules-gssapi-mit. We do see the same problem if we use libsasl2-modules-gssapi-heimdal instead of libsasl2-modules-gssapi-mit. -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libsasl2-modules-gssapi-mit depends on: ii libc6 2.13-38 ii libcomerr2 1.42.5-1 ii libgssapi-krb5-2 1.10.1+dfsg-4 ii libk5crypto3 1.10.1+dfsg-4 ii libkrb5-3 1.10.1+dfsg-4 ii libsasl2-modules 2.1.25.dfsg1-6 ii libssl1.0.0 1.0.1e-1 libsasl2-modules-gssapi-mit recommends no packages. libsasl2-modules-gssapi-mit suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org