Package: libsasl2-modules-gssapi-heimdal Version: 2.1.27~101-g0780600+dfsg-3 Severity: important
Dear Maintainer, I think something is fishy with the package "libsasl2-modules-gssapi-heimdal". I suspect that the package is built against MIT instead of Heimdal. Trying to migrate a Xenial machine to Stretch I noticed a difference in behavior when using `saslauthd` in a Postfix chroot - configs that haven't been required before was now required and `saslauthd` is complaing about settings that I have never seen with our previous setup. We have always used the Heimdal Kerberos libraries and therefore always used "libsasl2-modules-gssapi-heimdal" for `saslauthd`. Couldn't find any upstream changes in either Heimdal or Cyrus SASL which would explain my issuses so I went digging in the Debian package instead. Found that Heimdal was ripped out from the package(s) in October 24 2016: * 004977091b89363daa04301e89a045e7e2ffbad8 * b9158ab7d2bc71a026d417982fee61bc854935f4 * b334c34bce70f20d85ef0e86e79c6310b69f7345 And added again on Dec 31: * f382638d18a1e1e75560076d0cb1482e0b4dc613 Unfortunately the package(s) has moved a lot between removal and reinstatement so I can't get a clean diff over the changes. But I suspect that the reinstatement didn't go as planned. >From Jessie: ``` # dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 # ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 linux-vdso.so.1 (0x00007fffc877e000) libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007fd5b206a000) libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007fd5b1ddb000) libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007fd5b1b2b000) libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007fd5b1915000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fd5b16de000) libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fd5b12e1000) libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fd5b10dd000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fd5b0ec6000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd5b0b1a000) libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007fd5b0911000) libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007fd5b06dc000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd5b04be000) libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007fd5b0295000) libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007fd5b0086000) libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007fd5afe39000) libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007fd5afb70000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd5af96c000) /lib64/ld-linux-x86-64.so.2 (0x00007fd5b24ba000) # strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep "MIT|HEIM" HEIMDAL_GSS_2.0 ``` >From Ubuntu Xenial: ``` # dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 # ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 linux-vdso.so.1 => (0x00007ffd967d4000) libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007f818c61c000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f818c252000) libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007f818c048000) libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007f818bdbe000) libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007f818bb1c000) libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f818b917000) libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007f818b6e4000) libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007f818b4ce000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f818b2b0000) /lib64/ld-linux-x86-64.so.2 (0x0000559426341000) libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007f818b087000) libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007f818ae78000) libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007f818ac2c000) libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f818a957000) libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f818a71f000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f818a51a000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f818a2ff000) # strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep "MIT|HEIM" HEIMDAL_GSS_2.0 ``` >From Stretch: ``` # dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 # ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 linux-vdso.so.1 (0x00007ffd97762000) libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f218ad06000) libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f218aa2c000) libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f218a7f9000) libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f218a5f5000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f218a3de000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f218a03f000) libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f2189e33000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2189c2f000) libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f2189a2b000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f218980e000) /lib64/ld-linux-x86-64.so.2 (0x00007f218b15a000) # strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep "MIT|HEIM" gssapi_krb5_2_MIT ``` As you can see from my examples all the older dists seems to be built against Heimdal and contains HEIMDAL in the SO file but in Stretch the file now contains MIT and `ldd` gives no hint of any Heimdal libraries. This makes me think that "libsasl2-modules-gssapi-heimdal" is built again the wrong Kerberos library. Let me know if there is any additional data I can provide in order to straighten this issue. -- jocar -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libsasl2-modules-gssapi-heimdal depends on: ii libc6 2.24-11+deb9u1 ii libcomerr2 1.43.4-2 ii libgssapi-krb5-2 1.15-1+deb9u1 ii libk5crypto3 1.15-1+deb9u1 ii libkrb5-3 1.15-1+deb9u1 ii libsasl2-modules 2.1.27~101-g0780600+dfsg-3 libsasl2-modules-gssapi-heimdal recommends no packages. libsasl2-modules-gssapi-heimdal suggests no packages. -- no debconf information