Hi, We are running a SLES 11 SP3 server in a virtual machine. Last week Suse released a patch (http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00007.html) for krb5.
After applying the patch our apache server with mod_auth_kerb has stopped working correctly. A notice shows up in the apache error log (segmentation fault): [Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1667): [client 172.24.7.101] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1667): [client 172.24.7.101] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1277): [client 172.24.7.101] Acquiring creds for HTTP@server.domain [Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1424): [client 172.24.7.101] Verifying client data using KRB5 GSS-API [Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1440): [client 172.24.7.101] Client didn't delegate us their credential [Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1459): [client 172.24.7.101] GSS-API token of length 185 bytes will be sent back [Mon Nov 09 15:49:29 2015] [notice] child pid 16712 exit signal Segmentation fault (11) And here a backtrace from gdb: (gdb) backtrace #0 0x00007fac0b268089 in free () from /lib64/libc.so.6 #1 0x00007fac07f82ac9 in ?? () from /usr/lib64/libgssapi_krb5.so.2 #2 0x00007fac07f82bc8 in ?? () from /usr/lib64/libgssapi_krb5.so.2 #3 0x00007fac07f6aa9a in gss_delete_sec_context () from /usr/lib64/libgssapi_krb5.so.2 #4 0x00007fac081923dc in ?? () from /usr/lib64/apache2/mod_auth_kerb.so #5 0x00007fac0ce87f83 in ap_run_check_user_id () #6 0x00007fac0ce8a308 in ap_process_request_internal () #7 0x00007fac0ce9c2c8 in ap_process_request () #8 0x00007fac0ce99138 in ?? () #9 0x00007fac0ce94c53 in ap_run_process_connection () #10 0x00007fac0cea109e in ?? () #11 0x00007fac0cea138a in ?? () #12 0x00007fac0cea1ea2 in ap_mpm_run () #13 0x00007fac0ce790fd in main () We didn't change any config file. After downgrading the packages, everything works fine again. Our keytab file seems to be OK, because kinit works fine with it. With the mod_auth_kerb option "KrbMethodNegotiate" turned off, the updated packages work fine, but that is no option for us. We need the negotiation feature for our SingleSignOn. We use it to SSO our Internet Explorer clients to the apache server. Could this be a problem with the krb5 package from SLES or does the mod_auth_kerb apache module need an update? Any hint would be useful. Can we provide more information? Thanks in advance Thomas ________________________________ Klinikum Nürnberg, Sitz: Nürnberg, Amtsgericht Nürnberg -Registergericht- HRA 14190, Vorstand: Dr. Alfred Estelmann ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
