Re: [Ipsec-tools-devel] Problem of racoon and GSS API: segmentation fault exists from past one year
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
Re: [Ipsec-tools-devel] Problem of racoon and GSS API: segmentation fault exists from past one year ???
|
From: sandy s <san...@gm...> - 2005-12-08 05:20:55
|
Hi Nathan,
Thanks for that quick reply.
With respect to your previous mail, I checked if the
GSS_KRB5_NT_PRINCIPAL_NAME is already defined in my library. I issed the
command,
nm --defined-only /usr/lib/libgssapi_krb5.a | grep PRINCIPAL
> 00000028 D GSS_KRB5_NT_PRINCIPAL_NAME
Does this mean the kerberos mech type is alredy linked ? If this is linked=
,
does that mean I am doing something wrong ? :(
Thanks,
Sandy.
On 12/8/05, Nathan Herring <na...@mi...> wrote:
>
> I'm not positive my racoon.conf file would be any better; we still haven'=
t
> gotten past phase 2, and I think we're at the point where we're trying to
> get the TGT and it's not able to, despite there being a key in the keytab=
.
>
> remote anonymous
> {
> exchange_mode main;
> my_identifier user_fqdn "nh-g5.redmond.corp.microsoft.com";
>
> nonce_size 16;
> lifetime time 120 min; # sec,min,hour
> initial_contact on;
> support_mip6 on;
> proposal_check obey; # obey, strict or claim
>
> proposal {
> encryption_algorithm 3des;
> hash_algorithm sha1;
> authentication_method gssapi_krb;
> gssapi_id "nh-g5$@REDMOND.CORP.MICROSOFT.COM";
> dh_group 2 ;
> }
> }
>
> sainfo anonymous
> {
> pfs_group 1;
> lifetime time 30 sec;
> encryption_algorithm aes, 3des ;
> authentication_algorithm hmac_sha1;
> compression_algorithm deflate ;
> }
>
> In the particular setup we were testing, we were binding a Mac OS X
> machine to an Active Directory domain. Doing so has the byproduct of sett=
ing
> up the Kerberos configuration file and the keytab with the machine keys. =
The
> gssapi_id form is the form that Windows implementations of IPsec are
> expecting, and are one of the standard principal forms that AD as a KDC w=
ill
> give out for a machine. We were testing Mac OS X -> WinXP.
>
> -nh
>
> P.S., That said, I'm having some difficulties re-binding to the domain at
> the moment, and as such am not set up to try it again.
>
> On 12/7/05 8:44:46 PM, "sandy s" <san...@gm...> wrote:
>
> Hi Nathan,
>
> Thanks a lot for the reply. Even I saw one of the queries made by you som=
e
> time back in this regard.
>
> I have given my racoon.conf file. Could you please let me knw if this is
> correct ? Could you please send me an example reacoon.conf file ?
> --------------------------------------------
> remote 192.168.1.123 <http://192.168.1.123> <http://192.168.1.123> {
> exchange_mode main;
> my_identifier fqdn "kdc.kerb.com <http://kdc.kerb.com><http://kdc.ker=
b.com>";
> peers_identifier fqdn "linux.kerb.com <http://linux.kerb.com><http://=
linux.kerb.com>";
> verify_identifier on;
> proposal {
> encryption_algorithm des;
> hash_algorithm md5;
> authentication_method gssapi_krb;
> gssapi_id "ho...@kd...";
> dh_group 2;
> }
> }
> sainfo anonymous
> {
> pfs_group 2;
> lifetime time 1 hour;
> encryption_algorithm des;
> authentication_algorithm hmac_sha1, hmac_md5 ;
> compression_algorithm deflate ;
> }
> -------------------------------------
> I have tested the gss api examples given in the MIT kerberos and they ar=
e
> runnning properly.
> I am having the keytab entry for the hosts in keytab file. I am getting
> the TGT for the host machine from where I am initiating connection.
>
> Thanks,
> Sandy.
>
>
>
> On 12/8/05, *Nathan Herring* <na...@mi...> wrote:
>
> I am a developer in the Macintosh Business Unit at Microsoft, and I've
> been working with Apple to try and address similar issues in the Mac OS X
> version of racoon. We found that the Mac OS X Kerberos' GSSAPI
> implementation would assume that the various gss_XXX_t pointers would be
> non-NULL and indirect off of them without checking. It certainly didn't
> expect the various Null values defined in gssapi.h. As a workaround, we
> passed in non-null values, when it was obvious what they were, and it got=
us
> further, but we didn't quite make it all the way there.
> GSS_KRB5_NT_PRINCIPAL_NAME is exported by the Kerberos implementation, in
> this case /usr/lib/libgssapi_krb5.dylib -- does your Kerberos implementat=
ion
> export that symbol? If not, you should request it -- there's no reason to
> have to build it yourself. However you can create one yourself using
> gss_str_to_oid using the text form of the OID. "1.2.840.113554.1.2.2.1"
> (it's in gssapi_krb5.h in the comments next to the declaration of
> GSS_KRB5_NT_PRINCIPAL_NAME.)
>
> Since Apple has its own version of racoon, which is in some nebulous stat=
e
> of porting changes from the ipsec-tools distro, and is using MIT Kerberos=
,
> YMMV.
>
> Hope this helps.
>
> ------------------------------
> *From:* ips...@li... [
> mailto:ips...@li...]<ipsec-tools-devel-a=
dm...@li...%5D>
> *On Behalf Of *sandy s
> *Sent:* Wednesday, December 07, 2005 6:50 AM
> *To:* Aidas Kasparas
> *Cc:* ips...@li...
> *Subject:* Re: [Ipsec-tools-devel] Problem of racoon and GSS API:
> segmentation fault exists from past one year ???
>
> Hi ,
>
> I saw in the function "krb5_gss_cannicalize_name" that the mech types are
> getting compared.I dont see any issue with the code. The IPSec GSS API
> code is passing GSS_C_NO_OID. For testing purpose, I want to use kerbero=
s
> mechanism type to be hardcoded. Could anybody let me know how to do it ?
>
> I tried putting GSS_KRB5_NT_PRINCIPAL_NAME, it says it is undefined.
>
> Thanks,
> Sandy.
>
> On 12/7/05, *sandy s* <san...@gm...> wrote:
>
> Yes, It crashes on the fisrt call to gss api :(
>
> - Sandy.
>
>
>
> On 12/7/05, *Aidas Kasparas* < a.k...@gm...
> <mailto:a.k...@gm...> <a.k...@gm...> > wrote:
>
> Sandy,
>
> First, the only (afaik) developer of ipsec-tools who is familar
> with
> kerberos is Derek, but he contributed code to ipsec-tools for the last
> time long ago. So, help from the person who knows kerberos would be very
>
> helpful.
>
> On the other hand, by searching web for faults and gss/kerberos,
> I
> found
>
> http://www.nabble.com/Core-Dump-with-gsstest-1.26-and-krb5-1.4.2-t327263.=
html#a931954
> <http://www.nabble.com/Core-Dump-with-gsstest-1.26-and-krb5-1.4.2-t327263=
.html#a931954><http://www.nabble.com/Core-Dump-with-gsstest-1.26-and-krb5-1=
.4.2-t327263.html#a931954>
> which is not directly related, but lets me believe, that bugs in
> kerberos library is not an uncommon thing. So, could you plese run
> gsstest program to make sure library you have installed is not buggy and
> there are no problems in your GSS setup.
>
> One more thing. You said, that racoon crashes after some time. I=
s
> he
> failing on first try to use gss functionality, or sometimes it goes
> through and later fails?
>
> sandy s wrote:
> > Hi all,
> >
> > I found that the issue of seg fault exists from past one year.
> >
> > Please see the link below:
> >
> > http://mailman.mit.edu/pipermail/kerberos/2004-April/005125.html
> <http://mailman.mit.edu/pipermail/kerberos/2004-April/005125.html><http:/=
/mailman.mit.edu/pipermail/kerberos/2004-April/005125.html>
> >
> > What could be the fix for this ?
> >
> > - Sandy
> >
> > On 12/7/05, *sandy s* < san...@gm...
> <mailto:san...@gm...> <san...@gm...>
> > <mailto:san...@gm...> <san...@gm...>> wrote:
> >
> > Hi,
> >
> > Here is more info using gdb. Could you please let me know what
> could
> > be the error ?
> >
> > - Sandy
> >
> > ---------------------------------------------------
> > 2005-12-07 09:10:16: DEBUG: (lifebyte =3D 0:0)
> > 2005-12-07 09:10:16: DEBUG: enctype =3D 3DES-CBC:3DES-CBC
> > 2005-12-07 09:10:16: DEBUG: (encklen =3D 0:0)
> > 2005-12-07 09:10:16: DEBUG: hashtype =3D SHA:SHA
> > 2005-12-07 09:10:16: DEBUG: authmethod =3D GSS-API on Kerberos
> > 5:GSS-API on Kerberos 5
> > 2005-12-07 09:10:16: DEBUG: dh_group =3D 768-bit MODP group:768-bi=
t
> > MODP group
> > 2005-12-07 09:10:16: DEBUG: an acceptable proposal found.
> > 2005-12-07 09:10:16: DEBUG: hmac(modp768)
> > 2005-12-07 09:10:16: DEBUG: gss id in new sa 'host/kdc.kerb.com'
> > 2005-12-07 09:10:16: DEBUG: GIi is host/kdc.kerb.com
> > 2005-12-07 09:10:16: DEBUG: GIr is host/linux.kerb.com
> > 2005-12-07 09:10:16: DEBUG: =3D=3D=3D
> > 2005-12-07 09:10:16: DEBUG: compute DH's private.
> > 2005-12-07 09:10:16: DEBUG:
> > 5be41b2e b85ff069 680b30ce 46defd9e a0a50432 7393023c c814aa68
> b824c1c1
> > 4e8d536f 55714020 9a12d8b8 9c467374 88f6b4ec 8919a92b d349255b
> 4dee5265
> > 7250baec 8ae579a3 e621f3c4 00b5450f 19192aba c7220771 9250d320
> 58477695
> > 2005-12-07 09:10:16: DEBUG: compute DH's public.
> > 2005-12-07 09:10:16: DEBUG:
> > 921bcc59 d771190a a09a607c 84bbd005 e53b91dd e8b42579 b8b97609
> 1f2f6cba
> > d8910bde 68fdab19 ff108509 45a710e3 a137601b 0032ff0b ca86ede2
> 41b7ec1d
> > e8fe34dc 2b0915f8 28e8b616 ea15d265 da31d72c ef5e5066 3bb7d04b
> 8e84030f
> >
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x00d530fb in krb5_gss_canonicalize_name () from
> > /usr/lib/libgssapi_krb5.so.2
> > (gdb) bt
> > #0 0x00d530fb in krb5_gss_canonicalize_name () from
> > /usr/lib/libgssapi_krb5.so.2
> > #1 0x00d59b02 in gss_canonicalize_name () from
> > /usr/lib/libgssapi_krb5.so.2
> > #2 0x0805c5ab in gssapi_init (iph1=3D0x9896af8) at gssapi.c:214
> > #3 0x0805cd71 in gssapi_get_itoken (iph1=3D0x9896af8, lenp=3D0x0)=
at
> > gssapi.c:279
> > #4 0x0805362a in ident_i2send (iph1=3D0x9896af8, msg=3D0x9896538)=
at
> > isakmp_ident.c:320
> > #5 0x0804e5d2 in ph1_main (iph1=3D0x9896af8, msg=3D0x9896538) at
> > isakmp.c:788
> > #6 0x0804e9a7 in isakmp_main (msg=3D0x9896538, remote=3D0xbfc34f=
68,
> > local=3D0xbfc34ee8) at isakmp.c:570
> > #7 0x0804f9bf in isakmp_handler (so_isakmp=3D9) at isakmp.c:359
> > #8 0x0804c40e in session () at session.c:209
> > #9 0x0804bdd4 in main (ac=3D5, av=3D0xbfc36234) at main.c:247
> > (gdb) frame 2
> > #2 0x0805c5ab in gssapi_init (iph1=3D0x9896af8) at gssapi.c:214
> > 214 maj_stat =3D gss_canonicalize_name(&min_stat,
> princ,
> > GSS_C_NO_OID,
> > (gdb) p princ
> > $1 =3D 0x9897590
> > (gdb)
> >
> >
> --------------------------------------------------------------------=
----------------------------------
>
> > here is my racoon.conf file used:
> >
> > Racoon IKE daemon configuration file.
> > # See 'man racoon.conf' for a description of the format and
> entries.
> > remote anonymous {
> > exchange_mode main;
> > lifetime time 24 hour;
> > proposal {
> > encryption_algorithm des;
> > hash_algorithm md5;
> > authentication_method gssapi_krb;
> > dh_group 1;
> > }
> > }
> > sainfo anonymous
> > {
> > pfs_group 2;
> > lifetime time 1 hour;
> > encryption_algorithm des;
> > authentication_algorithm hmac_sha1, hmac_md5 ;
> > compression_algorithm deflate ;
> > }
> >
> >
>
> --
> Aidas Kasparas
> IT administrator
> GM Consult Group, UAB
>
>
>
>
>
>
>
> --
> Nathan Herring
> MacBU SDE/Development
>
|