SV: SV: SV: pkinit and nfs
Douglas E. Engert
deengert at anl.gov
Tue Oct 18 10:46:31 EDT 2011
On 10/18/2011 9:29 AM, Martinsson Patrik wrote:
> Hmm, how do I get the symbol tables ?
>
> I have installed the debug-info packages, shouldn't that be enough ?
I think so but I don't use RedHat.
http://le-huy.blogspot.com/2011/01/using-debuginfo-packages-in-redhat.html
gives an example of what you should see.
>
> /Patrik
>
>
> -----Ursprungligt meddelande-----
> Från: Douglas E. Engert [mailto:deengert at anl.gov]
> Skickat: den 18 oktober 2011 16:24
> Till: Martinsson Patrik
> Kopia: kerberos at mit.edu
> Ämne: Re: SV: SV: pkinit and nfs
>
>
>
> On 10/18/2011 4:16 AM, Martinsson Patrik wrote:
>> Thanks for the help.
>>
>> I'm not to familiar to with coredumps and stacktraces, so bare with
>> me,
>>
>> This is what I did,
>>
>> gdb --args kinit -k 'COMPUTERNAME$@FOO'
>> (gdb) run
>> Program received signal SIGSEGV, Segmentation fault.
>> 0x0000000000000000 in ?? ()
>> (gdb) thread apply all bt full
>>
>
> I don't see anything that stands out. Since both pkcs11 modules fail, with both kinit and rpc.gssd, it is probably not in the pkcs11 module, and not related to being run from a deamon.
>
> Since there are no symbol tables the debug does not show much except that it was in the pkinit code 4 levels deep.
>
> I could not reproduce the problem and do not a RedHat version to try.
> Maybe someone else has some ideas.
>
>
>>
>> I did it with both
>> pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so
>> pkinit_identities = PKCS11:/usr/lib/libiidp11.so
>> And it segaults in both scenarion, both stacktraces attached.
>>
>> ldd /usr/lib/libiidp11.so
>> linux-vdso.so.1 => (0x00007fffeddff000)
>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f0f150fa000)
>> libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f0f14edd000)
>> libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007f0f14bd7000)
>> libm.so.6 => /lib64/libm.so.6 (0x00007f0f14953000)
>> libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f0f1473c000)
>> libc.so.6 => /lib64/libc.so.6 (0x00007f0f143ad000)
>> /lib64/ld-linux-x86-64.so.2 (0x00000038f1e00000)
>>
>> ldd /usr/lib64/pkcs11/opensc-pkcs11.so
>> linux-vdso.so.1 => (0x00007fffdb7ff000)
>> libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f95cb9ed000)
>> libdl.so.2 => /lib64/libdl.so.2 (0x00007f95cb7e8000)
>> libz.so.1 => /lib64/libz.so.1 (0x00007f95cb5d3000)
>> libopensc.so.3 => /usr/lib64/libopensc.so.3 (0x00007f95cb2d3000)
>> libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f95cb0b6000)
>> libc.so.6 => /lib64/libc.so.6 (0x00007f95cad27000)
>> /lib64/ld-linux-x86-64.so.2 (0x00000038f1e00000)
>> libltdl.so.7 => /usr/lib64/libltdl.so.7 (0x00007f95cab1e000)
>>
>> ldd /usr/sbin/rpc.gssd
>> linux-vdso.so.1 => (0x00007fff361ff000)
>> libgssglue.so.1 => /lib64/libgssglue.so.1 (0x00007fb305187000)
>> libdl.so.2 => /lib64/libdl.so.2 (0x00007fb304f83000)
>> libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fb304d42000)
>> libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fb304a63000)
>> libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fb304837000)
>> libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fb304634000)
>> libtirpc.so.1 => /lib64/libtirpc.so.1 (0x00007fb30440d000)
>> libc.so.6 => /lib64/libc.so.6 (0x00007fb30407e000)
>> /lib64/ld-linux-x86-64.so.2 (0x00007fb305390000)
>> libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fb303e74000)
>> libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fb303c72000)
>> libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fb303a59000)
>> libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb30383d000)
>> libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fb303624000)
>> libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fb303405000)
>>
>>
>>
>> Maybe I'm missing something here, but shouldn't pkinit_options be completely ignored when doing kinit with the keytab ?
>
> I would think so.
>
>>
>>
>> Best regards,
>> Patrik Martinsson, Sweden.
>>
>>
>>
>>
>>
>> -----Ursprungligt meddelande-----
>> Från: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] För
>> Douglas E. Engert
>> Skickat: den 17 oktober 2011 20:39
>> Till: kerberos at mit.edu
>> Ämne: Re: SV: pkinit and nfs
>>
>>
>>
>> On 10/17/2011 3:21 AM, Martinsson Patrik wrote:
>>> Well yes, however if you add
>>> pkinit_identities = PKCS11:path-to-smartcardlib
>>> to the [libdefaults] section of your krb5.conf, the rpc.gssd will segfault.
>>
>>
>> Do you have the core file from this (or from the kinit failure) or can you force a core file, then get a stack trace?
>>
>> Does this fail with other PKCS#11 libraries Can you try with opensc-pkcs11.so?
>>
>> Can you do an ldd command on the libiidp11.so and on kinit or tpc.gssd to see what other libs each needs?
>>
>> This could be a linking problem with libiidp11.so, where is ends up using the wrong version of some lib used by kinit.
>>
>>>
>>> In my world that means that rpc.gssd reads the pkinit-option in some way, but I'm not sure.
>>>
>>> Best regards,
>>> Patrik Martinsson, Sweden.
>>>
>>>
>>>
>>>
>>>
>>> Från: Frank Cusack [mailto:frank at tenpedal.com]
>>> Skickat: den 14 oktober 2011 20:04
>>> Till: Martinsson Patrik
>>> Kopia: kerberos at mit.edu
>>> Ämne: Re: pkinit and nfs
>>>
>>> On Fri, Oct 14, 2011 at 1:56 AM, Martinsson Patrik<patrik.martinsson at smhi.se<mailto:patrik.martinsson at smhi.se>> wrote:
>>> How do I setup krb5.conf to get nfs not use pkinit, whilst when for example doing a regular "kinit" pkinit should be used.
>>>
>>> "nfs", i.e. rpc.gssd, does not use pkinit ever. It uses only a keytab.
>>> ________________________________________________
>>> Kerberos mailing list Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list