Re: [Ipsec-tools-devel] Problem of racoon and GSS API: segmentation fault exists from past one year
Brought to you by:
mit_warlord,
netbsd
From: sandy s <san...@gm...> - 2005-12-08 05:20:55
|
Hi Nathan, Thanks for that quick reply. With respect to your previous mail, I checked if the GSS_KRB5_NT_PRINCIPAL_NAME is already defined in my library. I issed the command, nm --defined-only /usr/lib/libgssapi_krb5.a | grep PRINCIPAL > 00000028 D GSS_KRB5_NT_PRINCIPAL_NAME Does this mean the kerberos mech type is alredy linked ? If this is linked= , does that mean I am doing something wrong ? :( Thanks, Sandy. On 12/8/05, Nathan Herring <na...@mi...> wrote: > > I'm not positive my racoon.conf file would be any better; we still haven'= t > gotten past phase 2, and I think we're at the point where we're trying to > get the TGT and it's not able to, despite there being a key in the keytab= . > > remote anonymous > { > exchange_mode main; > my_identifier user_fqdn "nh-g5.redmond.corp.microsoft.com"; > > nonce_size 16; > lifetime time 120 min; # sec,min,hour > initial_contact on; > support_mip6 on; > proposal_check obey; # obey, strict or claim > > proposal { > encryption_algorithm 3des; > hash_algorithm sha1; > authentication_method gssapi_krb; > gssapi_id "nh-g5$@REDMOND.CORP.MICROSOFT.COM"; > dh_group 2 ; > } > } > > sainfo anonymous > { > pfs_group 1; > lifetime time 30 sec; > encryption_algorithm aes, 3des ; > authentication_algorithm hmac_sha1; > compression_algorithm deflate ; > } > > In the particular setup we were testing, we were binding a Mac OS X > machine to an Active Directory domain. Doing so has the byproduct of sett= ing > up the Kerberos configuration file and the keytab with the machine keys. = The > gssapi_id form is the form that Windows implementations of IPsec are > expecting, and are one of the standard principal forms that AD as a KDC w= ill > give out for a machine. We were testing Mac OS X -> WinXP. > > -nh > > P.S., That said, I'm having some difficulties re-binding to the domain at > the moment, and as such am not set up to try it again. > > On 12/7/05 8:44:46 PM, "sandy s" <san...@gm...> wrote: > > Hi Nathan, > > Thanks a lot for the reply. Even I saw one of the queries made by you som= e > time back in this regard. > > I have given my racoon.conf file. Could you please let me knw if this is > correct ? Could you please send me an example reacoon.conf file ? > -------------------------------------------- > remote 192.168.1.123 <http://192.168.1.123> <http://192.168.1.123> { > exchange_mode main; > my_identifier fqdn "kdc.kerb.com <http://kdc.kerb.com><http://kdc.ker= b.com>"; > peers_identifier fqdn "linux.kerb.com <http://linux.kerb.com><http://= linux.kerb.com>"; > verify_identifier on; > proposal { > encryption_algorithm des; > hash_algorithm md5; > authentication_method gssapi_krb; > gssapi_id "ho...@kd..."; > dh_group 2; > } > } > sainfo anonymous > { > pfs_group 2; > lifetime time 1 hour; > encryption_algorithm des; > authentication_algorithm hmac_sha1, hmac_md5 ; > compression_algorithm deflate ; > } > ------------------------------------- > I have tested the gss api examples given in the MIT kerberos and they ar= e > runnning properly. > I am having the keytab entry for the hosts in keytab file. I am getting > the TGT for the host machine from where I am initiating connection. > > Thanks, > Sandy. > > > > On 12/8/05, *Nathan Herring* <na...@mi...> wrote: > > I am a developer in the Macintosh Business Unit at Microsoft, and I've > been working with Apple to try and address similar issues in the Mac OS X > version of racoon. We found that the Mac OS X Kerberos' GSSAPI > implementation would assume that the various gss_XXX_t pointers would be > non-NULL and indirect off of them without checking. It certainly didn't > expect the various Null values defined in gssapi.h. As a workaround, we > passed in non-null values, when it was obvious what they were, and it got= us > further, but we didn't quite make it all the way there. > GSS_KRB5_NT_PRINCIPAL_NAME is exported by the Kerberos implementation, in > this case /usr/lib/libgssapi_krb5.dylib -- does your Kerberos implementat= ion > export that symbol? If not, you should request it -- there's no reason to > have to build it yourself. However you can create one yourself using > gss_str_to_oid using the text form of the OID. "1.2.840.113554.1.2.2.1" > (it's in gssapi_krb5.h in the comments next to the declaration of > GSS_KRB5_NT_PRINCIPAL_NAME.) > > Since Apple has its own version of racoon, which is in some nebulous stat= e > of porting changes from the ipsec-tools distro, and is using MIT Kerberos= , > YMMV. > > Hope this helps. > > ------------------------------ > *From:* ips...@li... [ > mailto:ips...@li...]<ipsec-tools-devel-a= dm...@li...%5D> > *On Behalf Of *sandy s > *Sent:* Wednesday, December 07, 2005 6:50 AM > *To:* Aidas Kasparas > *Cc:* ips...@li... > *Subject:* Re: [Ipsec-tools-devel] Problem of racoon and GSS API: > segmentation fault exists from past one year ??? > > Hi , > > I saw in the function "krb5_gss_cannicalize_name" that the mech types are > getting compared.I dont see any issue with the code. The IPSec GSS API > code is passing GSS_C_NO_OID. For testing purpose, I want to use kerbero= s > mechanism type to be hardcoded. Could anybody let me know how to do it ? > > I tried putting GSS_KRB5_NT_PRINCIPAL_NAME, it says it is undefined. > > Thanks, > Sandy. > > On 12/7/05, *sandy s* <san...@gm...> wrote: > > Yes, It crashes on the fisrt call to gss api :( > > - Sandy. > > > > On 12/7/05, *Aidas Kasparas* < a.k...@gm... > <mailto:a.k...@gm...> <a.k...@gm...> > wrote: > > Sandy, > > First, the only (afaik) developer of ipsec-tools who is familar > with > kerberos is Derek, but he contributed code to ipsec-tools for the last > time long ago. So, help from the person who knows kerberos would be very > > helpful. > > On the other hand, by searching web for faults and gss/kerberos, > I > found > > http://www.nabble.com/Core-Dump-with-gsstest-1.26-and-krb5-1.4.2-t327263.= html#a931954 > <http://www.nabble.com/Core-Dump-with-gsstest-1.26-and-krb5-1.4.2-t327263= .html#a931954><http://www.nabble.com/Core-Dump-with-gsstest-1.26-and-krb5-1= .4.2-t327263.html#a931954> > which is not directly related, but lets me believe, that bugs in > kerberos library is not an uncommon thing. So, could you plese run > gsstest program to make sure library you have installed is not buggy and > there are no problems in your GSS setup. > > One more thing. You said, that racoon crashes after some time. I= s > he > failing on first try to use gss functionality, or sometimes it goes > through and later fails? > > sandy s wrote: > > Hi all, > > > > I found that the issue of seg fault exists from past one year. > > > > Please see the link below: > > > > http://mailman.mit.edu/pipermail/kerberos/2004-April/005125.html > <http://mailman.mit.edu/pipermail/kerberos/2004-April/005125.html><http:/= /mailman.mit.edu/pipermail/kerberos/2004-April/005125.html> > > > > What could be the fix for this ? > > > > - Sandy > > > > On 12/7/05, *sandy s* < san...@gm... > <mailto:san...@gm...> <san...@gm...> > > <mailto:san...@gm...> <san...@gm...>> wrote: > > > > Hi, > > > > Here is more info using gdb. Could you please let me know what > could > > be the error ? > > > > - Sandy > > > > --------------------------------------------------- > > 2005-12-07 09:10:16: DEBUG: (lifebyte =3D 0:0) > > 2005-12-07 09:10:16: DEBUG: enctype =3D 3DES-CBC:3DES-CBC > > 2005-12-07 09:10:16: DEBUG: (encklen =3D 0:0) > > 2005-12-07 09:10:16: DEBUG: hashtype =3D SHA:SHA > > 2005-12-07 09:10:16: DEBUG: authmethod =3D GSS-API on Kerberos > > 5:GSS-API on Kerberos 5 > > 2005-12-07 09:10:16: DEBUG: dh_group =3D 768-bit MODP group:768-bi= t > > MODP group > > 2005-12-07 09:10:16: DEBUG: an acceptable proposal found. > > 2005-12-07 09:10:16: DEBUG: hmac(modp768) > > 2005-12-07 09:10:16: DEBUG: gss id in new sa 'host/kdc.kerb.com' > > 2005-12-07 09:10:16: DEBUG: GIi is host/kdc.kerb.com > > 2005-12-07 09:10:16: DEBUG: GIr is host/linux.kerb.com > > 2005-12-07 09:10:16: DEBUG: =3D=3D=3D > > 2005-12-07 09:10:16: DEBUG: compute DH's private. > > 2005-12-07 09:10:16: DEBUG: > > 5be41b2e b85ff069 680b30ce 46defd9e a0a50432 7393023c c814aa68 > b824c1c1 > > 4e8d536f 55714020 9a12d8b8 9c467374 88f6b4ec 8919a92b d349255b > 4dee5265 > > 7250baec 8ae579a3 e621f3c4 00b5450f 19192aba c7220771 9250d320 > 58477695 > > 2005-12-07 09:10:16: DEBUG: compute DH's public. > > 2005-12-07 09:10:16: DEBUG: > > 921bcc59 d771190a a09a607c 84bbd005 e53b91dd e8b42579 b8b97609 > 1f2f6cba > > d8910bde 68fdab19 ff108509 45a710e3 a137601b 0032ff0b ca86ede2 > 41b7ec1d > > e8fe34dc 2b0915f8 28e8b616 ea15d265 da31d72c ef5e5066 3bb7d04b > 8e84030f > > > > Program received signal SIGSEGV, Segmentation fault. > > 0x00d530fb in krb5_gss_canonicalize_name () from > > /usr/lib/libgssapi_krb5.so.2 > > (gdb) bt > > #0 0x00d530fb in krb5_gss_canonicalize_name () from > > /usr/lib/libgssapi_krb5.so.2 > > #1 0x00d59b02 in gss_canonicalize_name () from > > /usr/lib/libgssapi_krb5.so.2 > > #2 0x0805c5ab in gssapi_init (iph1=3D0x9896af8) at gssapi.c:214 > > #3 0x0805cd71 in gssapi_get_itoken (iph1=3D0x9896af8, lenp=3D0x0)= at > > gssapi.c:279 > > #4 0x0805362a in ident_i2send (iph1=3D0x9896af8, msg=3D0x9896538)= at > > isakmp_ident.c:320 > > #5 0x0804e5d2 in ph1_main (iph1=3D0x9896af8, msg=3D0x9896538) at > > isakmp.c:788 > > #6 0x0804e9a7 in isakmp_main (msg=3D0x9896538, remote=3D0xbfc34f= 68, > > local=3D0xbfc34ee8) at isakmp.c:570 > > #7 0x0804f9bf in isakmp_handler (so_isakmp=3D9) at isakmp.c:359 > > #8 0x0804c40e in session () at session.c:209 > > #9 0x0804bdd4 in main (ac=3D5, av=3D0xbfc36234) at main.c:247 > > (gdb) frame 2 > > #2 0x0805c5ab in gssapi_init (iph1=3D0x9896af8) at gssapi.c:214 > > 214 maj_stat =3D gss_canonicalize_name(&min_stat, > princ, > > GSS_C_NO_OID, > > (gdb) p princ > > $1 =3D 0x9897590 > > (gdb) > > > > > --------------------------------------------------------------------= ---------------------------------- > > > here is my racoon.conf file used: > > > > Racoon IKE daemon configuration file. > > # See 'man racoon.conf' for a description of the format and > entries. > > remote anonymous { > > exchange_mode main; > > lifetime time 24 hour; > > proposal { > > encryption_algorithm des; > > hash_algorithm md5; > > authentication_method gssapi_krb; > > dh_group 1; > > } > > } > > sainfo anonymous > > { > > pfs_group 2; > > lifetime time 1 hour; > > encryption_algorithm des; > > authentication_algorithm hmac_sha1, hmac_md5 ; > > compression_algorithm deflate ; > > } > > > > > > -- > Aidas Kasparas > IT administrator > GM Consult Group, UAB > > > > > > > > -- > Nathan Herring > MacBU SDE/Development > |