krb5-1.12.1 krb5kdc segfaulting on ARMv6 10-stable FreeBSD

Christopher J. Ruwe cjr at cruwe.de
Mon Feb 10 16:19:52 EST 2014 

I am trying to install and configure krb5-1.12.1 installed from ports
on an Raspberry Pi running FreeBSD 10-STABLE.

root at krb5ldap:~ # uname -a
FreeBSD krb5ldap 10.0-PRERELEASE FreeBSD 10.0-PRERELEASE #0 r260786+cc2516d(stable/10): Fri Jan 17 20:08:46 CET 2014     root at dijkstra.cruwe.de:/usr/home/cjr/media/src/crochet-freebsd/work/obj/arm.arm/usr/home/cjr/media/src/freebsd-git/sys/RPI-B  arm

security/krb5 was compiled with DNS_FOR_REALM=on and LDAP=off.
$PATH is set to 
/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/games:/sbin:/bin

My /etc/krb5.conf is

[libdefaults]
  default_realm = HB22.CRUWE.DE
  debug = true
[realms]
  HB22.CRUWE.DE = {
    kdc = krb5ldap.hb22.cruwe.de
    admin_server = krb5ldap.hb22.cruwe.de
    }
[domain_realm]
  hb22.cruwe.de = HB22.CRUWE.DE
  .hb22.cruwe.de = HB22.CRUWE.DE

and /usr/local/var/krb5kdc/kdc.conf is

[kdcdefaults]
    kdc_ports = 88,750
    debug = true
[realms]
   HB22.CRUWE.DE = {
       master_key_type = aes256-cts
       supported_enctypes = aes256-cts:normal
   }
[logging]
    # By default, the KDC and kadmind will log output using
    # syslog. 
    kdc = FILE:/usr/local/var/log/krb5kdc.log
    admin_server = FILE:/usr/local/var/log/kadmin.log
    default = FILE:/usr/local/var/log/krb5lib.log

I try to run the most simple setup without a RDBMS or LDAP. All hosts
in the network run ntpd to keep time in sync. A zone for hb22.cruwe.de
is set up on ns.hb22.cruwe.de and served by bind99-9.9.4.2 named.

root at krb5ldap:~ # host  krb5ldap.hb22.cruwe.de
krb5ldap.hb22.cruwe.de has address 192.168.178.3


After database initialization with kadmin.local and starting krb5kdc

root at krb5ldap:~ # env KRB5_TRACE=/dev/stdout krb5kdc -n -p 88
[5299] 1392064874.28474: Retrieving K/M at HB22.CRUWE.DE from FILE:/usr/local/var/krb5kdc/.k5.HB22.CRUWE.DE (vno 0, enctype 0) with result: 0/Success
krb5kdc: starting...

the kdc reports to be up in the log

otp: Loaded
Feb 10 20:41:14 krb5ldap krb5kdc[5299](Error): preauth pkinit failed to initialize: No realms configured correctly for pkinit support
Feb 10 20:41:14 krb5ldap krb5kdc[5299](info): routing socket is fd 11
Feb 10 20:41:14 krb5ldap krb5kdc[5299](info): setting up network...
krb5kdc: setsockopt(12,IPV6_V6ONLY,1) worked
Feb 10 20:41:14 krb5ldap krb5kdc[5299](info): listening on fd 12: udp ::.88 (pktinfo)
Feb 10 20:41:14 krb5ldap krb5kdc[5299](info): listening on fd 13: udp 192.168.178.3.88
Feb 10 20:41:14 krb5ldap krb5kdc[5299](info): set up 2 sockets
Feb 10 20:41:14 krb5ldap krb5kdc[5299](info): commencing operation

This is not observable via nmap, because krb5kdc does not listen as specified.

[cjr at dijkstra:security/krb5]$ sudo nmap -sU -sT -p U:88,464,750,T:464,749,754 kerberos

Starting Nmap 6.40 ( http://nmap.org ) at 2014-02-10 20:55 CET
Nmap scan report for kerberos (192.168.178.3)
Host is up (0.0048s latency).
rDNS record for 192.168.178.3: krb5ldap.hb22.cruwe.de
PORT    STATE         SERVICE
464/tcp open          kpasswd5
749/tcp open          kerberos-adm
754/tcp closed        krb_prop
88/udp  open|filtered kerberos-sec
464/udp open|filtered kpasswd5
750/udp closed        kerberos
MAC Address: B8:27:EB:07:73:60 (Raspberry Pi Foundation)

Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds

When trying to test the existing principal admin with

root at krb5ldap:~ # kinit admin/admin at HB22.CRUWE.DE

on a different ssh-terminal, the program runs with out output, about
two to three seconds later krb5kdc crashes (append last line)

root at krb5ldap:~ # env KRB5_TRACE=/dev/stdout krb5kdc -n -p 88
[5231] 1392063323.707758: Retrieving K/M at HB22.CRUWE.DE from FILE:/usr/local/var/krb5kdc/.k5.HB22.CRUWE.DE (vno 0, enctype 0) with result: 0/Success
krb5kdc: starting...
Segmentation fault (core dumped)

and kinit terminates some seconds later:

root at krb5ldap:~ # kinit admin/admin at HB22.CRUWE.DE
kinit: Cannot contact any KDC for realm 'HB22.CRUWE.DE' while getting initial credentials

I'd be greatful for any suggestions to further debug that issue and of
course any tips how to get my configuration running.

Cheers,
-- 
Christopher
TZ:         GMT + 1h
GnuPG/GPG:  0xE8DE2C14
 
FreeBSD 9.2-STABLE #1 r256184: Thu Oct 10 19:12:54 CEST 2013
cjr at dijkstra.cruwe.de:/usr/obj/usr/home/cjr/media/src/freebsd/base/stable/9/sys/GEN_WDTRACE 
  
Punctuation matters:
"Lets eat Grandma." or "Lets eat, Grandma." - Punctuation saves lives.
"A panda eats shoots and leaves." or "A panda eats, shoots, and
leaves." - Punctuation teaches proper biology.

"With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead." (RFC 1925)

More information about the Kerberos mailing list