PDA

View Full Version : SLES 11 SP3 Problem with apache mod_auth_kerb after krb5 patch



EichhornT
09-Nov-2015, 16:07
Hi,

we have a problem with our SLES 11 SP3 server after the last krb5 (Kerberos) update, patch slessp3-krb5-12185 (http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00007.html).

After applying the patch our apache with mod_auth_kerb doesn't work correctly with "KrbMethodNegotiate on" (in apache config. Activates SingleSignOn with IE and other browsers).

The apache error log shows this:

[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1667): [client 172.24.7.101] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1667): [client 172.24.7.101] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1277): [client 172.24.7.101] Acquiring creds for HTTP@server.domain
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1424): [client 172.24.7.101] Verifying client data using KRB5 GSS-API
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1440): [client 172.24.7.101] Client didn't delegate us their credential
[Mon Nov 09 15:49:29 2015] [debug] src/mod_auth_kerb.c(1459): [client 172.24.7.101] GSS-API token of length 185 bytes will be sent back
[Mon Nov 09 15:49:29 2015] [notice] child pid 16712 exit signal Segmentation fault (11)


After turning "KrbMethodNegotiate" off, so that the client will be asked for a password (when the setting "KrbMethodK5Passwd on" is set, but this was set even before the update), everything works just fine. In both situations the same keytab-file is used, no changes to the krb5.conf. Only the KrbMethodNegotiate change.

After downgrading the updated krb5 packages, everything works fine (again).

Does the mod_auth_kerb apache module need an update to work correctly with the fixed krb5 package?
Any further advice?
Any further data, config settings, etc. I can provide?

It's a SLES 11 SP3 server (VM) with all packages updated

Thanks in advance.
Eichhorn

EichhornT
11-Nov-2015, 08:58
Backtrace:

(gdb) backtrace
#0 0x00007fac0b268089 in free () from /lib64/libc.so.6
#1 0x00007fac07f82ac9 in ?? () from /usr/lib64/libgssapi_krb5.so.2
#2 0x00007fac07f82bc8 in ?? () from /usr/lib64/libgssapi_krb5.so.2
#3 0x00007fac07f6aa9a in gss_delete_sec_context () from /usr/lib64/libgssapi_krb5.so.2
#4 0x00007fac081923dc in ?? () from /usr/lib64/apache2/mod_auth_kerb.so
#5 0x00007fac0ce87f83 in ap_run_check_user_id ()
#6 0x00007fac0ce8a308 in ap_process_request_internal ()
#7 0x00007fac0ce9c2c8 in ap_process_request ()
#8 0x00007fac0ce99138 in ?? ()
#9 0x00007fac0ce94c53 in ap_run_process_connection ()
#10 0x00007fac0cea109e in ?? ()
#11 0x00007fac0cea138a in ?? ()
#12 0x00007fac0cea1ea2 in ap_mpm_run ()
#13 0x00007fac0ce790fd in main ()

EichhornT
16-Nov-2015, 09:54
Problem solved. Suse released a patch on Friday: https://download.suse.com/Download?buildid=Q9sDoDWXtVg~

smflood
19-Nov-2015, 11:59
On 16/11/2015 09:04, EichhornT wrote:

> Problem solved. Suse released a patch on Friday:
> https://download.suse.com/Download?buildid=Q9sDoDWXtVg~

Thanks for taking the time to report back.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------