This may be a Fedora/Kerberos issue rather than a Freeradius issue, but... Has anyone experienced "radiusd -X" segfaulting when using rlm_krb5? This is under Fedora 7 (x86_64), with freeradius 1.1.6 and 2.0.0-pre1 built from source tarballs. (I am trying to migrate to this environment from a working freeradius-1.1.0 / Fedora Core 2 / i686 installation.)
The segfault is actually occurring in the Kerberos libraries, which means that Freeradius might not be the issue, however the segfault occurs only when radiusd is given "-X" or "-sfxx" options. I.e. "radiusd -sfx" and "radiusd" work as expected, and do not segfault. (One thing off the top of my head: Does this point to something possibly happening when debug_flag is >= 2 ?) The killer request: radtest testuser testpass localhost 1 testing123 Below are my users and radiusd.conf files. Full gdb output from a segfault case follows. So, this isn't a bug report... i'm just hoping for tips on how to proceed... thanks in advance for any clues. -Matt ### begin complete users file ### DEFAULT Auth-Type:=Kerberos ### end complete users file ### ### begin partial radiusd.conf ### # stuff that was changed from the default 1.1.6 radiusd.conf : prefix = /opt/radius localstatedir = /var user = radiusd group = radiusd log_auth = yes proxy_requests = no modules { krb5 { keytab = radius-krb5.keytab service_principal = radius } } authenticate { Auth-Type Kerberos { krb5 } } ### end partial radiusd.conf ### ### begin gdb output ### [EMAIL PROTECTED] raddb]# gdb radiusd GNU gdb Red Hat Linux (6.6-15.fc7rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"... Using host libthread_db library "/lib64/libthread_db.so.1". (gdb) run -X Starting program: /usr/local/sbin/radiusd -X [Thread debugging using libthread_db enabled] [New Thread 46912517212928 (LWP 25560)] Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /opt/radius/etc/raddb/clients.conf Config: including file: /opt/radius/etc/raddb/snmp.conf Config: including file: /opt/radius/etc/raddb/eap.conf Config: including file: /opt/radius/etc/raddb/sql.conf main: prefix = "/opt/radius" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/opt/radius/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/opt/radius/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /opt/radius/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded Kerberos krb5: keytab = "radius-krb5.keytab" krb5: service_principal = "radius" rlm_krb5: krb5_init ok Module: Instantiated krb5 (krb5) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/opt/radius/etc/raddb/huntgroups" preprocess: hints = "/opt/radius/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/opt/radius/etc/raddb/users" files: acctusersfile = "/opt/radius/etc/raddb/acct_users" files: preproxy_usersfile = "/opt/radius/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32790, id=222, length=59 User-Name = "testuser" User-Password = "testpass" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 1 modcall[authorize]: module "files" returns ok for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Kerberos auth: type "Kerberos" Processing the authenticate section of radiusd.conf modcall: entering group Kerberos for request 0 Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 46912517212928 (LWP 25560)] 0x00002aaaac74be19 in krb5_get_init_creds (context=0x5555558a2120, creds=0x7fffb62f7a00, client=0x7fffb62f5470, prompter=0x2aaaac767db0 <krb5_prompter_posix>, prompter_data=0x0, start_time=-1238412144, in_tkt_service=0x5555558ab330 "krbtgt/[EMAIL PROTECTED]", options=0x5555558ab2b0, gak_fct=0x2aaaac74db10 <krb5_get_as_key_password>, gak_data=0x7fffb62f5950, use_master=0x7fffb62f597c, as_reply=0x7fff00000000) at get_in_tkt.c:1303 1303 *as_reply = local_as_reply; (gdb) bt #0 0x00002aaaac74be19 in krb5_get_init_creds (context=0x5555558a2120, creds=0x7fffb62f7a00, client=0x7fffb62f5470, prompter=0x2aaaac767db0 <krb5_prompter_posix>, prompter_data=0x0, start_time=-1238412144, in_tkt_service=0x5555558ab330 "krbtgt/[EMAIL PROTECTED]", options=0x5555558ab2b0, gak_fct=0x2aaaac74db10 <krb5_get_as_key_password>, gak_data=0x7fffb62f5950, use_master=0x7fffb62f597c, as_reply=0x7fff00000000) at get_in_tkt.c:1303 #1 0x00002aaaac74e0ec in krb5_get_in_tkt_with_password (context=0x5555558a2120, options=0, addrs=0x0, ktypes=0x0, pre_auth_types=0x0, password=<value optimized out>, ccache=0x5555558a9ad0, creds=0x7fffb62f7a00, ret_as_reply=0x7fff00000000) at gic_pwd.c:509 #2 0x00002aaaac4eb197 in krb5_auth (instance=0x55555589dbb0, request=<value optimized out>) at rlm_krb5.c:305 #3 0x0000555555563462 in modcall (component=0, c=0x5555558a27b0, request=0x5555558aa680) at modcall.c:236 #4 0x0000555555563a51 in call_one (component=0, p=0x7fffb62f5460, request=0x7fff00000000, priority=0x5555558ab0d0, result=0x5555558ab0e0) at modcall.c:269 #5 0x000055555556362c in modcall (component=0, c=0x55555589dbd0, request=0x5555558aa680) at modcall.c:324 #6 0x000055555555b563 in rad_check_password (request=0x5555558aa680) at auth.c:380 #7 0x000055555555ba8a in rad_authenticate (request=0x5555558aa680) at auth.c:675 #8 0x00005555555649da in rad_respond (request=0x5555558aa680, fun=0x55555555b810 <rad_authenticate>) at radiusd.c:1669 #9 0x0000555555565fd6 in main (argc=<value optimized out>, argv=<value optimized out>) at radiusd.c:1434 (gdb) display local_as_reply 1: local_as_reply = (krb5_kdc_rep *) 0x5555558ab860 (gdb) display *local_as_reply 2: *local_as_reply = {magic = -1760647403, msg_type = 11, padata = 0x5555558ab900, client = 0x5555558ab920, ticket = 0x5555558ab9b0, enc_part = {magic = -1760647418, enctype = 16, kvno = 0, ciphertext = {magic = 0, length = 220, data = 0x5555558abb80 "▒\214ݰ\207\206\v▒}ܯ/"}}, enc_part2 = 0x5555558ab540} (gdb) display as_reply 3: as_reply = (krb5_kdc_rep **) 0x7fff00000000 (gdb) display *as_reply Disabling display 4 to avoid infinite recursion. 4: *as_reply = (krb5_kdc_rep *) Cannot access memory at address 0x7fff00000000 (gdb) quit The program is running. Exit anyway? (y or n) y [EMAIL PROTECTED] raddb]# ### end #### - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html