From nobody@FreeBSD.org  Thu Jun  3 23:25:38 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id ADBDD1065675
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  3 Jun 2010 23:25:38 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 840008FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Thu,  3 Jun 2010 23:25:38 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o53NPc13015399
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 3 Jun 2010 23:25:38 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o53NPcct015398;
	Thu, 3 Jun 2010 23:25:38 GMT
	(envelope-from nobody)
Message-Id: <201006032325.o53NPcct015398@www.freebsd.org>
Date: Thu, 3 Jun 2010 23:25:38 GMT
From: Benjamin Lee <ben@b1c1l1.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: libgssapi (heimdal) broken in head/, stable/8/, and releng/8.0/
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         147454
>Category:       kern
>Synopsis:       [libgssapi] libgssapi (heimdal) broken in head/, stable/8/, and releng/8.0/
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 03 23:30:03 UTC 2010
>Closed-Date:    
>Last-Modified:  Sun Jul 18 22:30:09 UTC 2010
>Originator:     Benjamin Lee
>Release:        8.0-RELEASE
>Organization:
>Environment:
FreeBSD eclipse.b1c1l1.com 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #0: Tue Jan  5 16:02:27 UTC 2010     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
The heimdal-1.1 merge in head/ broke libgssapi.

For example, the entire lib/gssapi/mech directory is missing, which
defines many libgssapi functions:

blee@eclipse ~/src/heimdal-1.1/lib/gssapi/mech $ ls
context.c                         gss_krb5.c
context.h                         gss_mech_switch.c
cred.h                            gss_names.c
gss_accept_sec_context.c          gss_oid_equal.c
gss_acquire_cred.c                gss_oid_to_str.c
gss_add_cred.c                    gss_process_context_token.c
gss_add_oid_set_member.c          gss_pseudo_random.c
gss_buffer_set.c                  gss_release_buffer.c
gss_canonicalize_name.c           gss_release_cred.c
gss_compare_name.c                gss_release_name.c
gss_context_time.c                gss_release_oid.c
gss_create_empty_oid_set.c        gss_release_oid_set.c
gss_decapsulate_token.c           gss_seal.c
gss_delete_sec_context.c          gss_set_cred_option.c
gss_display_name.c                gss_set_sec_context_option.c
gss_display_status.c              gss_sign.c
gss_duplicate_name.c              gss_test_oid_set_member.c
gss_duplicate_oid.c               gss_unseal.c
gss_encapsulate_token.c           gss_unwrap.c
gss_export_name.c                 gss_utils.c
gss_export_sec_context.c          gss_verify.c
gss_get_mic.c                     gss_verify_mic.c
gss_import_name.c                 gss_wrap.c
gss_import_sec_context.c          gss_wrap_size_limit.c
gss_indicate_mechs.c              gssapi.asn1
gss_init_sec_context.c            mech.5
gss_inquire_context.c             mech.cat5
gss_inquire_cred.c                mech_locl.h
gss_inquire_cred_by_mech.c        mech_switch.h
gss_inquire_cred_by_oid.c         mechqueue.h
gss_inquire_mechs_for_name.c      name.h
gss_inquire_names_for_mech.c      utils.h
gss_inquire_sec_context_by_oid.c

Other parts of heimdal may be broken as well.

One related PR is ports/137729, which shows that the www/mod_auth_kerb2
port is broken due to the libgssapi breakage in base.
>How-To-Repeat:
Use libgssapi in FreeBSD 8.0+.
>Fix:
Clean up the merge with upstream's heimdal-1.1.

>Release-Note:
>Audit-Trail:

From: Stefan Walter <stefan@freebsd.org>
To: Benjamin Lee <ben@b1c1l1.com>
Cc: GNATS <FreeBSD-gnats-submit@FreeBSD.org>
Subject: Re: kern/147454: [libgssapi] libgssapi (heimdal) broken in head/,
 stable/8/, and releng/8.0/
Date: Fri, 25 Jun 2010 12:06:47 +0200

 Hi,
 
 for the record, ports/145769 seems to describe a problem with fetchmail
 resulting from this.
 
 Regards,
 Stefan

From: Benjamin Lee <ben@b1c1l1.com>
To: bug-followup@FreeBSD.org, ben@b1c1l1.com
Cc:  
Subject: Re: kern/147454: [libgssapi] libgssapi (heimdal) broken in head/,
 stable/8/, and releng/8.0/
Date: Fri, 25 Jun 2010 14:05:57 -0700

 This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
 --------------enigC01EE8A99F54E098517E47E0
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 The following patch unbreaks libgssapi and upgrades it to be consistent
 with the previous heimdal-1.1 merge:
 
 http://www.b1c1l1.com/media/patches/libgssapi-9.0-CURRENT.diff.bz2
 http://www.b1c1l1.com/media/patches/libgssapi-8.1-STABLE.diff.bz2
 
 Currently, libgssapi is out of date because it was not upgraded when the
 rest of heimdal was upgraded to heimdal-1.1.  Also, 3 new libraries
 (libgssapi_krb5, libgssapi_ntlm, libgssapi_spnego) were unnecessarily
 introduced -- MIT Kerberos separates these libraries, but Heimdal does
 not.  This broke some libgssapi-dependent applications (e.g.
 www/mod_auth_kerb2, PR #147282).
 
 SHLIB_MAJOR is bumped from 10 to 11, so libgssapi-dependent applications
 must be rebuilt after applying this patch.
 
 I renamed some of upstream's files due to filename collisions.  If
 buildworld can create corresponding subdirectories in obj/ to match
 src/, then the renames are not necessary.
 
 This patch went without comment on current@ and stable@.  Feedback is
 appreciated.
 
 
 --=20
 Benjamin Lee
 http://www.b1c1l1.com/
 
 
 --------------enigC01EE8A99F54E098517E47E0
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.15 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iQIcBAEBAgAGBQJMJRo7AAoJEHBW16CPoSMCQygQALQ5jpl67PELnWb4AJ8VPUkW
 vcV27J4AKnosdybPa7SbRFHLzAsB4dioryNECmkMMMIeaDEuWuhExVprF2gvn3bt
 MMgTaElU40gufgAM35rZ7jtL9ypFYxpvnv6bP3a0qWkGCPOAaaaUQ+ubR54jYaDV
 WyIYUsnHE9lY0/KmkBoe/RFqH5wldXuer63evpMq+S592Hg6kq+i7Pepquq8NdxY
 0tdqufsO1bD7dT+glQbg26wNADu9oZXLbXeF96RK4OrKERtAxfhuYxudYVjxpdz2
 Jl62f5JcagO9KYyJiJL/4DNo3Qjy9uQY18Lw45EkU7DSH9lAAp3uKQK9grJ1V0GC
 5DIUfEqLbDo6l83CtOTbVWsU9dcZ+ETxmXB5UrNl4XHGb/zSsdG04SaQ8ugqwX2C
 +hipGtpTSfTR/z20S8OOxBKJdDnJzKXoid76gnby4sg5wunFJNJCyrhVTQ1/UIFl
 /jmtao/O+hoCQmVxNBmFCsG2dMM/I7lA6PNkP29n2bjtuPBFYqrqaboxI0JeXJNz
 0FwyQ4NmG/l0isxp4hUMpW60xGDES5wwWY+BNvw5x9YLLeXV/0P0tuFPASQvaCGx
 ICjgrL3tFSEBAyKTUOQfWB3IuDYZQcmn51K+Uej8reuiMDoYyP1e7SSC1zNcIixM
 VsxWxB3vHyVR7XMa+cAl
 =JRkc
 -----END PGP SIGNATURE-----
 
 --------------enigC01EE8A99F54E098517E47E0--

From: "Reko Turja" <reko.turja@liukuma.net>
To: "bug-followup@FreeBSD.org"@liukuma.net
Cc: <ben@b1c1l1.com>
Subject: Re: kern/147454: [libgssapi] libgssapi (heimdal) broken in head/, stable/8/, and releng/8.0/
Date: Mon, 19 Jul 2010 01:25:23 +0300

 I've been testing different GSSAPI solutions this weekend based on=20
 broken kerberos thread in stable@ this weekend and had following=20
 experience:
 
 8-RELEASE GSSAPI segfaults on i386 and in amd64 doesn't recognise the=20
 mech used, but instead outputs to log:
 
  perl: GSSAPI Error:  Miscellaneous failure (see text) (unknown=20
 mech-code 2 for mech unknown)
 
 
 When linking cyrus-sasl2 against gssapi library from either the 1.0.1
 official port or the inofficial 1.2.1 patchset cyradm works as
 expected and it logs a message from gssapi/kerberos telling that no
 KDC's are available - which is to be expected on a system that isn't
 using gssapi/kerberos in authenticating.
 
 So the present behaviour in 8-RELEASE and 8-PRERELASE updated Monday
 the 5th is clearly some kind of regression as system gsslib doesn't
 seem to recognize the mech used or segfaults.
 
 After applying the patch from Benjamin, system csupped
 yesterday built okay and after rebuilding cyrus-sasl, saslauthd and
 cyrus I get the following failures in log:
 
 Jul 18 16:37:35 moria perl: GSSAPI Error:  Miscellaneous failure (see
 text)^B (open(/tmp/krb5cc_0): No such file or directory)
 
 -This is expected behaviour as Kerberos was not running at the moment,
 but with Benjamin's patch Kerberos/GSSAPI spat out a meaningful error
 message
 
 After dusting off my old Kerberos setup, doing basic kinit and running
 cyradm localhost I got:
 
 Jul 18 16:39:00 moria perl: GSSAPI Error:  Miscellaneous failure (see
 text) (Server (imap/localhost@XXX.DOMAIN.COM) unknown)
 
 -Again expected as there is no imap trust relationship defined.
 
 So at least after cursory testing it looks like that with Benjamin's
 patch there is a working GSSAPI/Kerberos backend available, instead of
 something that chokes on passed parameters that are ok for every other
 tested gssapi implementation.
 
 Of course, more thorough testing in proper kerberised/LDAP environment
 needs to be done, which is something I haven't got time at the moment.
 =20
 
>Unformatted:
