Problems with ksu in krb5-1.4.1

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems with ksu in krb5-1.4.1

Heilke, Rainer
A co-worker has been having strange problems testing krb5-1.4.1, and
asked me to post the following:

We are running Solaris 8 with krb5-1.4.1 installed. We just upgraded
from 1.3.4 (with patches). We use Sun's pam_krb5 and subsequent SEAM
libraries to sign in. We need to use MIT's kit because Solaris 8's SEAM
doesn't include all the tools we need.  

One odd thing we've noticed is that somehow ksu is causing a lock-up
when you try to login twice. i.e.

window1: sign in to hosta as usera (ssh/telnet/ftp, doesn't matter)
window1: ksu to root (or any other ID via .k5login) from usera
window2: try to sign in to hosta as usera
window2: you can authenticate, but the session freezes and won't give
         you a shell
window1: exit from root shell
window2: the frozen session continues and gives you a shell.

Very odd. As soon as we rollback our krb5 binaries to 1.3.4, the
behaviour of ksu is fixed.

As far as I can see, this is an issue with only ksu as nothing else in
1.4.1 is giving us problems.

ksu does not appear to be doing anything odd to the credentials cache,
so why would the sessions freeze like this ?

Any insight is appreciated.

Thanks.

Rainer Heilke
Unix Systems Administrator
ATCO I-Tek
Phone:  780-420-7806
Fax:  780-420-3939
Email:  [hidden email]

The information transmitted is intended only for the addressee and may
contain confidential, proprietary and/or privileged material. Any
unauthorized review, distribution or other use of or the taking of any
action in reliance upon this information is prohibited. If you receive
this in error, please contact the sender and delete or destroy this
message and any copies.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Problems with ksu in krb5-1.4.1

Garrett Wollman
In article <[hidden email]>,
Heilke, Rainer <[hidden email]> wrote:

>ksu does not appear to be doing anything odd to the credentials cache,
>so why would the sessions freeze like this ?

I wouldn't be surprised if it were related to the bug which causes
this:

wollman@isfahel(1)$ ksu
Authenticated [hidden email]
Account root: authorization for [hidden email] successful
Changing uid to root (0)
root@isfahel# exit
Assertion failed: ((&_m->os)->initialized == K5_MUTEX_DEBUG_INITIALIZED), function krb5_fcc_destroy, file cc_file.c, line 1526.
Abort trap

-GAWollman

--
Garrett A. Wollman    | As the Constitution endures, persons in every
[hidden email] | generation can invoke its principles in their own
Opinions not those    | search for greater freedom.
of MIT or CSAIL.      | - A. Kennedy, Lawrence v. Texas, 539 U.S. 558 (2003)
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems with ksu in krb5-1.4.1

Heilke, Rainer
In reply to this post by Heilke, Rainer
Is that a known bug, or a new one?

R

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Garrett Wollman
> Sent: Wednesday, June 15, 2005 11:58 AM
> To: [hidden email]
> Subject: Re: Problems with ksu in krb5-1.4.1
>
>
> In article <[hidden email]>,
> Heilke, Rainer <[hidden email]> wrote:
>
> >ksu does not appear to be doing anything odd to the
> credentials cache,
> >so why would the sessions freeze like this ?
>
> I wouldn't be surprised if it were related to the bug which causes
> this:
>
> wollman@isfahel(1)$ ksu
> Authenticated [hidden email]
> Account root: authorization for [hidden email] successful
> Changing uid to root (0)
> root@isfahel# exit
> Assertion failed: ((&_m->os)->initialized ==
> K5_MUTEX_DEBUG_INITIALIZED), function krb5_fcc_destroy, file
> cc_file.c, line 1526.
> Abort trap
>
> -GAWollman
>
> --
> Garrett A. Wollman    | As the Constitution endures, persons in every
> [hidden email] | generation can invoke its principles
> in their own
> Opinions not those    | search for greater freedom.
> of MIT or CSAIL.      | - A. Kennedy, Lawrence v. Texas, 539
> U.S. 558 (2003)
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Problems with ksu in krb5-1.4.1

Kenneth G Raeburn
In reply to this post by Garrett Wollman
On Jun 15, 2005, at 13:58, Garrett Wollman wrote:

> In article <[hidden email]>,
> Heilke, Rainer <[hidden email]> wrote:
>
>> ksu does not appear to be doing anything odd to the credentials cache,
>> so why would the sessions freeze like this ?
>
> I wouldn't be surprised if it were related to the bug which causes
> this:
>
> wollman@isfahel(1)$ ksu
> Authenticated [hidden email]
> Account root: authorization for [hidden email] successful
> Changing uid to root (0)
> root@isfahel# exit
> Assertion failed: ((&_m->os)->initialized ==
> K5_MUTEX_DEBUG_INITIALIZED), function krb5_fcc_destroy, file
> cc_file.c, line 1526.
> Abort trap
I suspect they're different problems, but I'm investigating.  I've just
run into the freezing problem on one of my machines.

For the assertion-failed problem, could you please try the attached
patch and let me know if it fixes it?  (BTW, which OS is this on?)

Ken




________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

pthread-detect-14.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Problems with ksu in krb5-1.4.1

Heilke, Rainer
In reply to this post by Heilke, Rainer
This is on Solaris 8.

I've passed the patch on. Thanks.
R

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Ken Raeburn
> Sent: Wednesday, June 15, 2005 3:19 PM
> To: Garrett Wollman
> Cc: [hidden email]
> Subject: Re: Problems with ksu in krb5-1.4.1
>
>
> On Jun 15, 2005, at 13:58, Garrett Wollman wrote:
> > In article <[hidden email]>,
> > Heilke, Rainer <[hidden email]> wrote:
> >
> >> ksu does not appear to be doing anything odd to the
> credentials cache,
> >> so why would the sessions freeze like this ?
> >
> > I wouldn't be surprised if it were related to the bug which causes
> > this:
> >
> > wollman@isfahel(1)$ ksu
> > Authenticated [hidden email]
> > Account root: authorization for [hidden email] successful
> > Changing uid to root (0)
> > root@isfahel# exit
> > Assertion failed: ((&_m->os)->initialized ==
> > K5_MUTEX_DEBUG_INITIALIZED), function krb5_fcc_destroy, file
> > cc_file.c, line 1526.
> > Abort trap
>
> I suspect they're different problems, but I'm investigating.  
> I've just
> run into the freezing problem on one of my machines.
>
> For the assertion-failed problem, could you please try the attached
> patch and let me know if it fixes it?  (BTW, which OS is this on?)
>
> Ken
>
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Problems with ksu in krb5-1.4.1

Kenneth G Raeburn
On Jun 15, 2005, at 18:00, Heilke, Rainer wrote:
> This is on Solaris 8.
>
> I've passed the patch on. Thanks.

That patch was for a thread support problem that I thought might've
been Garrett Wollman's problem.

This patch to src/lib/krb5/ccache/cc_file.c should fix your problem.  
It might also fix the problem he ran into, I'm not sure.  Please let me
know...

Ken

Index: cc_file.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/ccache/cc_file.c,v
retrieving revision 5.45
diff -p -u -r5.45 cc_file.c
--- cc_file.c 13 Apr 2005 16:55:40 -0000 5.45
+++ cc_file.c 15 Jun 2005 22:58:03 -0000
@@ -1459,7 +1459,7 @@ static krb5_error_code dereference(krb5_
      kerr = k5_mutex_lock(&krb5int_cc_file_mutex);
      if (kerr)
  return kerr;
-    for (fccsp = &fccs; *fccsp == NULL; fccsp = &(*fccsp)->next)
+    for (fccsp = &fccs; *fccsp != NULL; fccsp = &(*fccsp)->next)
  if ((*fccsp)->data == data)
     break;
      assert(*fccsp != NULL);

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems with ksu in krb5-1.4.1

Heilke, Rainer
In reply to this post by Heilke, Rainer
OK, thanks. :-) I've passed this along.

Rainer

> -----Original Message-----
> From: Ken Raeburn [mailto:[hidden email]]
> Sent: Wednesday, June 15, 2005 5:03 PM
> To: Heilke, Rainer
> Cc: Garrett Wollman; [hidden email]
> Subject: Re: Problems with ksu in krb5-1.4.1
>
>
> On Jun 15, 2005, at 18:00, Heilke, Rainer wrote:
> > This is on Solaris 8.
> >
> > I've passed the patch on. Thanks.
>
> That patch was for a thread support problem that I thought might've
> been Garrett Wollman's problem.
>
> This patch to src/lib/krb5/ccache/cc_file.c should fix your problem.  
> It might also fix the problem he ran into, I'm not sure.  
> Please let me
> know...
>
> Ken
>
> Index: cc_file.c
> ===================================================================
> RCS file: /cvs/krbdev/krb5/src/lib/krb5/ccache/cc_file.c,v
> retrieving revision 5.45
> diff -p -u -r5.45 cc_file.c
> --- cc_file.c 13 Apr 2005 16:55:40 -0000 5.45
> +++ cc_file.c 15 Jun 2005 22:58:03 -0000
> @@ -1459,7 +1459,7 @@ static krb5_error_code dereference(krb5_
>       kerr = k5_mutex_lock(&krb5int_cc_file_mutex);
>       if (kerr)
>   return kerr;
> -    for (fccsp = &fccs; *fccsp == NULL; fccsp = &(*fccsp)->next)
> +    for (fccsp = &fccs; *fccsp != NULL; fccsp = &(*fccsp)->next)
>   if ((*fccsp)->data == data)
>      break;
>       assert(*fccsp != NULL);
>
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems with ksu in krb5-1.4.1

Heilke, Rainer
In reply to this post by Heilke, Rainer
My colleague has been testing the patch you provided, and so far, things
are looking good. I'll update when we have a definitive answer.

Thanks again for all of your help.

Rainer

> -----Original Message-----
> From: Ken Raeburn [mailto:[hidden email]]
> Sent: Wednesday, June 15, 2005 5:03 PM
> To: Heilke, Rainer
> Cc: Garrett Wollman; [hidden email]
> Subject: Re: Problems with ksu in krb5-1.4.1
>
>
> On Jun 15, 2005, at 18:00, Heilke, Rainer wrote:
> > This is on Solaris 8.
> >
> > I've passed the patch on. Thanks.
>
> That patch was for a thread support problem that I thought might've
> been Garrett Wollman's problem.
>
> This patch to src/lib/krb5/ccache/cc_file.c should fix your problem.  
> It might also fix the problem he ran into, I'm not sure.  
> Please let me
> know...
>
> Ken
>
> Index: cc_file.c
> ===================================================================
> RCS file: /cvs/krbdev/krb5/src/lib/krb5/ccache/cc_file.c,v
> retrieving revision 5.45
> diff -p -u -r5.45 cc_file.c
> --- cc_file.c 13 Apr 2005 16:55:40 -0000 5.45
> +++ cc_file.c 15 Jun 2005 22:58:03 -0000
> @@ -1459,7 +1459,7 @@ static krb5_error_code dereference(krb5_
>       kerr = k5_mutex_lock(&krb5int_cc_file_mutex);
>       if (kerr)
>   return kerr;
> -    for (fccsp = &fccs; *fccsp == NULL; fccsp = &(*fccsp)->next)
> +    for (fccsp = &fccs; *fccsp != NULL; fccsp = &(*fccsp)->next)
>   if ((*fccsp)->data == data)
>      break;
>       assert(*fccsp != NULL);
>
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: Problems with ksu in krb5-1.4.1

Heilke, Rainer
In reply to this post by Heilke, Rainer
Yes, this patch is indeed working, both on Solaris 8 and Solaris 10. A
thousand thank-you's.

Rainer

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Heilke, Rainer
> Sent: Tuesday, June 21, 2005 8:43 AM
> To: Ken Raeburn
> Cc: Garrett Wollman; [hidden email]
> Subject: RE: Problems with ksu in krb5-1.4.1
>
>
> My colleague has been testing the patch you provided, and so
> far, things
> are looking good. I'll update when we have a definitive answer.
>
> Thanks again for all of your help.
>
> Rainer
>
> > -----Original Message-----
> > From: Ken Raeburn [mailto:[hidden email]]
> > Sent: Wednesday, June 15, 2005 5:03 PM
> > To: Heilke, Rainer
> > Cc: Garrett Wollman; [hidden email]
> > Subject: Re: Problems with ksu in krb5-1.4.1
> >
> >
> > On Jun 15, 2005, at 18:00, Heilke, Rainer wrote:
> > > This is on Solaris 8.
> > >
> > > I've passed the patch on. Thanks.
> >
> > That patch was for a thread support problem that I thought might've
> > been Garrett Wollman's problem.
> >
> > This patch to src/lib/krb5/ccache/cc_file.c should fix your
> problem.  
> > It might also fix the problem he ran into, I'm not sure.  
> > Please let me
> > know...
> >
> > Ken
> >
> > Index: cc_file.c
> > ===================================================================
> > RCS file: /cvs/krbdev/krb5/src/lib/krb5/ccache/cc_file.c,v
> > retrieving revision 5.45
> > diff -p -u -r5.45 cc_file.c
> > --- cc_file.c 13 Apr 2005 16:55:40 -0000 5.45
> > +++ cc_file.c 15 Jun 2005 22:58:03 -0000
> > @@ -1459,7 +1459,7 @@ static krb5_error_code dereference(krb5_
> >       kerr = k5_mutex_lock(&krb5int_cc_file_mutex);
> >       if (kerr)
> >   return kerr;
> > -    for (fccsp = &fccs; *fccsp == NULL; fccsp = &(*fccsp)->next)
> > +    for (fccsp = &fccs; *fccsp != NULL; fccsp = &(*fccsp)->next)
> >   if ((*fccsp)->data == data)
> >      break;
> >       assert(*fccsp != NULL);
> >
> >
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos