[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Smbk5pwd and Heimdal 0.7 not playing nice?

Perry Nguyen wrote:
>> -----Original Message-----
>> From: Howard Chu [mailto:hyc@highlandsun.com] 
>> Sent: Tuesday, August 02, 2005 11:41 AM
>> To: Perry Nguyen

>>> While running smbk5pwd through gdb, I'm not able to step through
>>> krb5_init_context, but if I run add_random_users, I am able 
>> to step through,
>>> (am I missing any gdb options?)
>> Most likely you're not linking against the same library in 
>> both cases. 
>> There are no gdb options to control this, it all just depends 
>> on whether 
>> or not the object file has debug symbols.
> That's an interesting point.  My slapd executable is linked against
> libkrb5.so.3 in /usr/lib, while I am linking smbk5pwd against heimdal in
> /usr/heimdal/lib/libkrb5.so.17.  Of course, krb5_init_context is also
> defined in libkrb5.so.3.  Perhaps this causes some amount of
> incompatibility?  Do I need to rebuild slapd without linking in the MIT krb5
> libraries?  Change the Heimdal soname to be compatible with MIT?  Compile
> slapd without krb5 support at all?  (In this case, SASL should handle
> anything krb5 related, yes?)

You cannot use two different Kerberos libraries in the same program.

As a general rule, the MIT Kerberos libraries are unsafe for use in 
threaded programs. They are known to cause memory leaks and SEGVs when 
linked into slapd. These problems do not occur when using the Heimdal 
libraries. The OpenLDAP project recommends against using the MIT libraries.

Furthermore, slapd doesn't call any Kerberos library functions itself. 
There should be no reason for any Kerberos libraries to be directly 
linked to slapd. The only supported use of Kerberos with slapd is 
through the SASL GSSAPI mechanism, and that is all handled by Cyrus 
SASL, slapd never touches any Kerberos APIs.

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/