Edward Z. Yang wrote: > Excerpts from Rich Megginson's message of Fri Oct 08 18:59:52 -0400 2010: > >> Try running with the SHELL (1024) debug error log level. This should >> give more information about the principal, keytab, etc. that directory >> server is using. >> > > More logs: > > [09/Oct/2010:04:29:48 -0400] - Listening on /var/run/dirsrv/slapd-scripts.socket for LDAPI requests > [09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - Success: set up conn to [better-mousetrap.mit.edu:389] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - The default credentials cache [FILE:/tmp/krb5cc_485] not found: will create a new one. > [09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - configpluginpath == NULL > [09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - Success: set up conn to [whole-enchilada.mit.edu:389] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using principal named [ldap/old-faithful.mit.edu at ATHENA.MIT.EDU] > [09/Oct/2010:04:29:48 -0400] slapi_ldap_init_ext - Success: set up conn to [cats-whiskers.mit.edu:389] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - The default credentials cache [FILE:/tmp/krb5cc_485] not found: will create a new one. > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using principal named [ldap/old-faithful.mit.edu at ATHENA.MIT.EDU] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - The default credentials cache [FILE:/tmp/krb5cc_485] not found: will create a new one. > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using principal named [ldap/old-faithful.mit.edu at ATHENA.MIT.EDU] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using keytab named [WRFILE:/etc/dirsrv/keytab] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using keytab named [WRFILE:/etc/dirsrv/keytab] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Using keytab named [WRFILE:/etc/dirsrv/keytab] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Generated new memory ccache [MEMORY:N0KZtwJ] > [09/Oct/2010:04:29:48 -0400] show_cached_credentials - Ticket cache: MEMORY:N0KZtwJ > Default principal: ldap/old-faithful.mit.edu at ATHENA.MIT.EDU > > [09/Oct/2010:04:29:48 -0400] show_one_credential - Kerberos credential: client [ldap/old-faithful.mit.edu at ATHENA.MIT.EDU] server [krbtgt/ATHENA.MIT.EDU at ATHENA.MIT.EDU] start time [Sat Oct 9 04:30:00 2010] end time [Sun Oct 10 01:45:00 2010] renew time [Sun Oct 10 04:29:49 2010] flags [0x50c00000] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Set new env for ccache: [KRB5CCNAME=MEMORY:N0KZtwJ] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Generated new memory ccache [MEMORY:fyHs1On] > [09/Oct/2010:04:29:48 -0400] show_cached_credentials - Ticket cache: MEMORY:fyHs1On > Default principal: ldap/old-faithful.mit.edu at ATHENA.MIT.EDU > > [09/Oct/2010:04:29:48 -0400] show_one_credential - Kerberos credential: client [ldap/old-faithful.mit.edu at ATHENA.MIT.EDU] server [krbtgt/ATHENA.MIT.EDU at ATHENA.MIT.EDU] start time [Sat Oct 9 04:30:00 2010] end time [Sun Oct 10 01:45:00 2010] renew time [Sun Oct 10 04:29:49 2010] flags [0x50c00000] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Set new env for ccache: [KRB5CCNAME=MEMORY:fyHs1On] > [09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Generated new memory ccache [MEMORY:aIeSCnz] > [09/Oct/2010:04:29:48 -0400] show_cached_credentials - Ticket cache: MEMORY:aIeSCnz > Default principal: ldap/old-faithful.mit.edu at ATHENA.MIT.EDU > > [09/Oct/2010:04:29:48 -0400] show_one_credential - Kerberos credential: client [ldap/old-faithful.mit.edu at ATHENA.MIT.EDU] server [krbtgt/ATHENA.MIT.EDU at ATHENA.MIT.EDU] start time [Sat Oct 9 04:30:00 2010] end time [Sun Oct 10 01:45:00 2010] renew time [Sun Oct 10 04:29:49 2010] flags [0x50c00000] > [09/Oct/2010:04:29:48 -0400] set_krb5_creds - Set new env for ccache: [KRB5CCNAME=MEMORY:aIeSCnz] > [09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER > [09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER > [09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER > [09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER > [09/Oct/2010:04:29:48 -0400] ldap_sasl_get_val - Using value [(null)] for SASL_CB_USER > > >> What is the platform? Are you using a newer version of kerberos? >> > > Fedora 13. We have the latest version of Kerberos with one custom patch: > > Name : krb5-libs > Arch : x86_64 > Version : 1.7.1 > Release : 14.fc13.scripts.1671 > Size : 1.7 M > Repo : installed > From repo : scripts > Summary : The shared libraries used by Kerberos 5 > URL : http://web.mit.edu/kerberos/www/ > License : MIT > Description : Kerberos is a network authentication system. The krb5-libs package > : contains the shared libraries needed by Kerberos 5. If you are using > : Kerberos, you need to install this package. > > that modifies src/lib/krb5/os/kuserok.c (which was not in the backtrace). > > http://scripts.mit.edu/trac/browser/branches/fc13-dev/server/common/patches/krb5-kuserok-scripts.patch > > Cheers, > Edward > Thanks. Based upon this information and the stack traces you provided (Thanks!) it looks like the directory server is freeing something in the krb5_creds creds; that it should not be. The errors look like double free or realloc of already freed memory. I had to rely heavily on the 1.5 and 1.6 kerberos code to make sure I was using krb5_get_init_creds_keytab() and krb5_cc_store_cred() and krb5_free_cred_contents() correctly. It's quite likely that I did not, and the later version of kerberos changed something to "unmask" the problem. Please file a bug at https://bugzilla.redhat.com/enter_bug.cgi?product=389 and please attach your info and stack traces as attachments to the bug.
