[Bug 335754] New: kerberos5 authentication mechanism missing in saslauthd
https://bugzilla.novell.com/show_bug.cgi?id=335754 Summary: kerberos5 authentication mechanism missing in saslauthd Product: openSUSE 10.3 Version: Final Platform: All OS/Version: openSUSE 10.3 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: ralf@bj-ig.de QAContact: qa@suse.de Found By: Customer The authentication mechanism "kerberos5" is missing in saslauthd installed by package "cyrus-sasl-saslauthd". How to reproduce: # yast -i cyrus-sasl-saslauthd # saslauthd -v saslauthd 2.1.22 authentication mechanisms: getpwent pam rimap shadow ldap As you can see "kerberos5" is missing from the list - installing other plausible packages (gssapi/krb5 related ones) does not change this. The following patch to "cyrus-sasl-saslauthd.spec" from "cyrus-sasl-saslauthd-2.1.22-85.src.rpm" fixes this: --- cyrus-sasl-saslauthd.spec.orig 2007-10-22 18:58:45.765442016 +0200 +++ cyrus-sasl-saslauthd.spec 2007-10-22 19:07:50.948507281 +0200 @@ -21,7 +21,7 @@ Provides: cyrus-sasl2:/usr/sbin/saslauthd Summary: The SASL Authentication Server Version: 2.1.22 -Release: 85 +Release: 87 Source: cyrus-sasl-%{version}.tar.bz2 Source1: cyrus-sasl-rc.tar.gz Patch: cyrus-sasl-%{version}.dif @@ -118,7 +118,7 @@ --enable-passdss=no \ --enable-sample=no \ --enable-login=no \ - --enable-gssapi=no \ + --enable-gssapi=yes \ --enable-krb4=no \ --enable-sql \ --with-mysql=/usr/include/mysql \ @@ -146,6 +146,8 @@ install -D -m 644 SuSE/sysconfig.saslauthd $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.saslauthd rm -f $RPM_BUILD_ROOT/%{_mandir}/cat?/* rm -f $RPM_BUILD_ROOT/%{_libdir}/sasl2/libsasldb* +rm -f $RPM_BUILD_ROOT/%{_libdir}/sasl2/libgssapiv2.so* +rm -f $RPM_BUILD_ROOT/%{_libdir}/sasl2/libgssapiv2.la rm -f $RPM_BUILD_ROOT/%{_libdir}/sasl2/libldapdb.la rm -f $RPM_BUILD_ROOT/%{_libdir}/sasl2/libsql.la -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=335754
Matej Horvath
https://bugzilla.novell.com/show_bug.cgi?id=335754#c1
Ralf Haferkamp
https://bugzilla.novell.com/show_bug.cgi?id=335754#c2
Ralf Müller
https://bugzilla.novell.com/show_bug.cgi?id=335754
Ralf Müller
https://bugzilla.novell.com/show_bug.cgi?id=335754#c3
--- Comment #3 from Ralf Haferkamp
This - let's say feature - has been there in SuSE 9.3 and we used it to build a kerberized LDAP authentication service. After update to 10.3 this didn't work any more. Ok, I didn't realize that this was ever enabled. But, it is at least disabled since 10.2. Sorry for that, we'll fix it with the next release.
At least for us this bug is a show stopper. So "Enhancement" request is not really what I would call this report.
As it is not a so major change to the existing package it would be great if > you could include it to online update for 10.3. We only release online updates for critical and more severe problems (for reference see http://en.opensuse.org/SUSE_Linux_Lifetime), which this is clearly not, even if it is a showstopper for you.
So I move it back to 10.3 - and normal priority. If you have a hint how to solve the "kerberized LDAP"-problem without saslauthd - just tell me and move the report back to enhancement for 11.0. Depends a bit on what you want to achieve. But I guess you can get similar functionality with using the "pam" authmech of saslauthd and a pam_krb5 configuration. Which is a bit hacky, I agree. But as you might know the kerberos5 authmech is a bit hacky (and not very secure) itself.
As an alternative you could install the saslauthd package from Factory, once I have included your patch. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=335754#c4
--- Comment #4 from Ralf Müller
https://bugzilla.novell.com/show_bug.cgi?id=335754#c5
Ralf Haferkamp
participants (1)
-
bugzilla_noreply@novell.com