Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Apache child segfaults when enabling mod_webauthldap.

Russ Allbery eagle at windlord.stanford.edu
Fri Feb 24 23:27:38 PST 2006


Mustafa A Hashmi <mahashmi at gmail.com> writes:

> I remember compiling kerberos with the following options on this machine:

> ./configure --with-system-et LDFLAGS=-L/usr/lib/et CPPFLAGS=-I/usr/include/et

Wait... you built Kerberos yourself?  But your backtrace here is showing
you using the system Kerberos:

> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 1077082784 (LWP 9311)]
> 0x40605f73 in com_right () from /usr/lib/libkrb5.so.17
> (gdb) bt
> #0  0x40605f73 in com_right () from /usr/lib/libkrb5.so.17
> #1  0x405e68c0 in krb5_get_err_text () from /usr/lib/libkrb5.so.17
> #2  0x405cb796 in gss_display_status () from /usr/lib/libgssapi.so.1
> #3  0x405b890f in sasl_gss_seterror_ () from /usr/lib/sasl2/libgssapiv2.so.2
> #4  0x405b94c5 in gssapi_client_mech_step () from
> /usr/lib/sasl2/libgssapiv2.so.2
> #5  0x4048ab22 in sasl_client_step () from /usr/lib/libsasl2.so.2

That's the system Kerberos and the system SASL.  Or did you install your
build into /usr/lib?

Also, just to confirm, you're using Heimdal?  Is that the only Kerberos
implementation that you have anywhere on the system?  No trace of MIT
Kerberos anywhere?  (The above libraries are definitely Heimdal.)

The segfault is happening in the com_err library, so my guess is that
there's actually multiple things failing here.  I think that the LDAP bind
is failing, and then something else is failing when mod_webauthldap is
trying to report the error message.  We probably have to fix the second
failure to see what the first failure is, though.

> I recompiled kerberos without these flags and webauth and webauthldap
> both reported missing libcom_err libraries when I ran ldd against the
> modules.

But now you have two different com_err libraries on your system, one that
comes with your Kerberos build and the other that comes with the OS?  That
can definitely cause problems if different libraries end up pulling in
both com_err libraries at the same time.

The reason why mod_webauthldap tends to segfault more often than
mod_webauth is because it has more library dependencies.  Not only does it
pull in Kerberos directly, it also pulls in LDAP (which is sometimes
linked directly against Kerberos) and SASL (which is linked against
Kerberos itself).  All of those libraries have to match.  The resulting
Apache process needs to have one and only one Kerberos library in memory
and one and only one com_err library in memory.

The missing libcom_err library in ldd is a bad sign, since it means that
the com_err library that the module is built against isn't on its built-in
search path.  When loaded into Apache, the module is going to inherit
whatever search path Apache has, and if that doesn't find the right
com_err library, bad things are going to happen.

> I linked them manually and started apache -- this time, webauthldap logs
> a lot more (for whatever reason -- no configuration directive was
> changed):

My guess is that the rebuilds either delayed or fixed one library
conflict so mod_webauthldap didn't segfault as soon as the module was
initialized and instead lasted long enough to try to call into the LDAP
libraries.

> [Sat Feb 25 11:24:57 2006] [info] webauthldap(mustafa.hashmi): begins ldap bind
> [Sat Feb 25 11:24:57 2006] [info] webauthldap(mustafa.hashmi): set
> ticket to KRB5CCNAME=FILE:/tmp/krb5cc_ldap

> -- end apache log --

So it failed to bind to your directory server and then died trying to
report that error.

Your directory server does support LDAPv3 SASL binds with GSSAPI, right?

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Unix Systems and Applications, Stanford University



More information about the webauth-info mailing list