[Bug 476069] Re: segfault
[Expired for krb5 (Ubuntu) because there has been no activity for 60 days.] ** Changed in: krb5 (Ubuntu) Status: Incomplete = Expired -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/476069 Title: segfault -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
[Expired for krb5 (Ubuntu) because there has been no activity for 60 days.] ** Changed in: krb5 (Ubuntu) Status: Incomplete = Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/476069 Title: segfault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
It would be really helpful if you could get a backtrace. chuck ** Changed in: krb5 (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. https://bugs.launchpad.net/bugs/476069 Title: segfault -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
It would be really helpful if you could get a backtrace. chuck ** Changed in: krb5 (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/476069 Title: segfault -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
Maybe this is the same problem as i have here: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/578681 ? -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
Maybe this is the same problem as i have here: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/578681 ? -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
** Changed in: krb5 (Ubuntu) Status: Incomplete = New -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
The best theory that I have about this bug is that it's related to some sort of failure in the NSS lookups for the current user, resulting in the ticket cache permissions not being changed, but I can't entirely reconcile this with the debugging messages you're seeing. I think progress on this bug is stalled on finding a reproducible test case. I can't duplicate this problem on an Ubuntu 9.10 system that uses the LDAP NSS module, so I'm at a bit of a loss. -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
** Changed in: krb5 (Ubuntu) Status: Incomplete = New -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
The best theory that I have about this bug is that it's related to some sort of failure in the NSS lookups for the current user, resulting in the ticket cache permissions not being changed, but I can't entirely reconcile this with the debugging messages you're seeing. I think progress on this bug is stalled on finding a reproducible test case. I can't duplicate this problem on an Ubuntu 9.10 system that uses the LDAP NSS module, so I'm at a bit of a loss. -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
It seems to be related to bug #476953 (and vice versa), if that helps -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
I assigned this bug to this package because the segfault appears as follows (from dmesg): [ 1844.309499] su[6070]: segfault at 1be96c38 ip 7fd3a48c03c3 sp 7fffd10ab710 error 4 in libkrb5.so.3.3[7fd3a4874000+ae000] Turning on debug in the krb5 pam system provides the following in auth.log: Nov 5 20:07:24 computer su[6070]: (pam_krb5): none: pam_sm_authenticate: entry (0x0) Nov 5 20:07:24 computer su[6070]: (pam_krb5): user: attempting authentication as u...@krb.domain Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: pam_sm_authenticate: exit (success) Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: cannot retrieve principal from cache: Credentials cache permissions incorrect Nov 5 20:07:27 computer su[6070]: pam_acct_mgmt: Authentication failure -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
On which release do you see this? Error message: Credentials cache permissions incorrect Could you check the permission on the credentials cache directory? ** Changed in: krb5 (Ubuntu) Importance: Undecided = Medium ** Changed in: krb5 (Ubuntu) Status: New = Incomplete -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 476069] Re: segfault
Alex Mauer ha...@hawkesnest.net writes: I assigned this bug to this package because the segfault appears as follows (from dmesg): [ 1844.309499] su[6070]: segfault at 1be96c38 ip 7fd3a48c03c3 sp 7fffd10ab710 error 4 in libkrb5.so.3.3[7fd3a4874000+ae000] Turning on debug in the krb5 pam system provides the following in auth.log: Nov 5 20:07:24 computer su[6070]: (pam_krb5): none: pam_sm_authenticate: entry (0x0) Nov 5 20:07:24 computer su[6070]: (pam_krb5): user: attempting authentication as u...@krb.domain Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: pam_sm_authenticate: exit (success) Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: cannot retrieve principal from cache: Credentials cache permissions incorrect Nov 5 20:07:27 computer su[6070]: pam_acct_mgmt: Authentication failure That log trace seems to indicate that (a) you have some sort of serious problem with either your PAM or your nsswitch configuration causing a ticket cache that was just created in the authentication stage to no longer have correct ownership in the account stage, and (b) the segfault isn't occuring in the PAM module, since that last line is the final line logged by the PAM module before returning to the process. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 476069] Re: segfault
Mathias Gug math...@ubuntu.com writes: On which release do you see this? Error message: Credentials cache permissions incorrect Could you check the permission on the credentials cache directory? That message would be referring to the file rather than the directory, I believe. There should be a file with a name like /tmp/krb5cc_1000_DBzGt12076 representing the user's ticket cache. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
This is on karmic. It all works fine for login; it's just su that has trouble. This is just more-or-less default settings of nsswitch and PAM. PAM is entirely as provided by pam-auth-update (except the addition of 'debug' to the krb5 module), and nss is 'compat ldap' for passwd, group, and shadow. I do notice that there are a bunch of /tmp/krb5cc_pam_RANDOM files, owned by root. So I suppose that would be causing the Credentials cache permissions incorrect I don’t know if there’s a way to provoke apport into noticing the segfault so I can get a more useful bug report on that end of things... -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 476069] Re: segfault
Alex Mauer ha...@hawkesnest.net writes: I do notice that there are a bunch of /tmp/krb5cc_pam_RANDOM files, owned by root. So I suppose that would be causing the Credentials cache permissions incorrect Are you su'ing *to* root? If so, then that ownership is correct. Are those files all mode 600? -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
Nope, su'ing to the current user. 'su - $USER', using the environment variable. It does the same if I put the literal username, obviously. File modes are 0600 -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 476069] Re: segfault
I assigned this bug to this package because the segfault appears as follows (from dmesg): [ 1844.309499] su[6070]: segfault at 1be96c38 ip 7fd3a48c03c3 sp 7fffd10ab710 error 4 in libkrb5.so.3.3[7fd3a4874000+ae000] Turning on debug in the krb5 pam system provides the following in auth.log: Nov 5 20:07:24 computer su[6070]: (pam_krb5): none: pam_sm_authenticate: entry (0x0) Nov 5 20:07:24 computer su[6070]: (pam_krb5): user: attempting authentication as u...@krb.domain Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: pam_sm_authenticate: exit (success) Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: cannot retrieve principal from cache: Credentials cache permissions incorrect Nov 5 20:07:27 computer su[6070]: pam_acct_mgmt: Authentication failure -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
On which release do you see this? Error message: Credentials cache permissions incorrect Could you check the permission on the credentials cache directory? ** Changed in: krb5 (Ubuntu) Importance: Undecided = Medium ** Changed in: krb5 (Ubuntu) Status: New = Incomplete -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 476069] Re: segfault
Alex Mauer ha...@hawkesnest.net writes: I assigned this bug to this package because the segfault appears as follows (from dmesg): [ 1844.309499] su[6070]: segfault at 1be96c38 ip 7fd3a48c03c3 sp 7fffd10ab710 error 4 in libkrb5.so.3.3[7fd3a4874000+ae000] Turning on debug in the krb5 pam system provides the following in auth.log: Nov 5 20:07:24 computer su[6070]: (pam_krb5): none: pam_sm_authenticate: entry (0x0) Nov 5 20:07:24 computer su[6070]: (pam_krb5): user: attempting authentication as u...@krb.domain Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: pam_sm_authenticate: exit (success) Nov 5 20:07:27 computer su[6070]: (pam_krb5): user: cannot retrieve principal from cache: Credentials cache permissions incorrect Nov 5 20:07:27 computer su[6070]: pam_acct_mgmt: Authentication failure That log trace seems to indicate that (a) you have some sort of serious problem with either your PAM or your nsswitch configuration causing a ticket cache that was just created in the authentication stage to no longer have correct ownership in the account stage, and (b) the segfault isn't occuring in the PAM module, since that last line is the final line logged by the PAM module before returning to the process. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 476069] Re: segfault
Mathias Gug math...@ubuntu.com writes: On which release do you see this? Error message: Credentials cache permissions incorrect Could you check the permission on the credentials cache directory? That message would be referring to the file rather than the directory, I believe. There should be a file with a name like /tmp/krb5cc_1000_DBzGt12076 representing the user's ticket cache. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
This is on karmic. It all works fine for login; it's just su that has trouble. This is just more-or-less default settings of nsswitch and PAM. PAM is entirely as provided by pam-auth-update (except the addition of 'debug' to the krb5 module), and nss is 'compat ldap' for passwd, group, and shadow. I do notice that there are a bunch of /tmp/krb5cc_pam_RANDOM files, owned by root. So I suppose that would be causing the Credentials cache permissions incorrect I don’t know if there’s a way to provoke apport into noticing the segfault so I can get a more useful bug report on that end of things... -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 476069] Re: segfault
Alex Mauer ha...@hawkesnest.net writes: I do notice that there are a bunch of /tmp/krb5cc_pam_RANDOM files, owned by root. So I suppose that would be causing the Credentials cache permissions incorrect Are you su'ing *to* root? If so, then that ownership is correct. Are those files all mode 600? -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 476069] Re: segfault
Nope, su'ing to the current user. 'su - $USER', using the environment variable. It does the same if I put the literal username, obviously. File modes are 0600 -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 476069] Re: segfault
Alex Mauer ha...@hawkesnest.net writes: Nope, su'ing to the current user. 'su - $USER', using the environment variable. It does the same if I put the literal username, obviously. File modes are 0600 Ah, hm. I seem to vaguely remember running into this before, where su calls part of the PAM stack as root and other parts as the target user, which causes issues like incorrect file ownership. I don't recall when I saw this, though, or what the solution was. That doesn't explain the segfault, although I suspect the LDAP NSS module for that given the log messages that you're seeing and given how sensitive it is to shared library conflicts and similar issues. Hm. If the NSS lookup of the target user fails, then pam_setcred will fail to chown the ticket cache to the target user, and you'll get that incorrect ownership error. But I actually don't recall seeing a setcred call in your trace. I wonder if su is auth'ing as root, and then changing users to the target user and calling the account hook. But if so, I'm not entirely sure how that could ever work, since the account hook assumes the ticket cache credentials are already correct, and that doesn't match the behavior I'm seeing elsewhere. For whatever it's worth, this appears to be either specific to the LDAP NSS module or to Ubuntu; su - $USER works fine with pam-krb5 in Debian on a system that doesn't use any special NSS modules. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- segfault https://bugs.launchpad.net/bugs/476069 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs