[squid-users] upgrading from 3.3.8 to 3.4.5 crashes negotiate_kerberos_auth

From: George Billios <gbillios_at_runbox.com>
Date: Thu, 19 Jun 2014 09:40:42 +0300 (EEST)

Hi,

I'm trying to upgrade from 3.3.8 to 3.4.5 (3.4.x in general), compile squid with the same options (that are still valid in 3.4.x) and use negotiate authentication, but every time negotiate_kerberos_auth crashes with the following:

2014/06/18 23:06:20| negotiate_wrapper: Error reading Kerberos helper response
2014/06/18 23:06:20 kid1| WARNING: negotiateauthenticator #Hlpr0 exited
2014/06/18 23:06:21| negotiate_kerberos_auth: ERROR: krb5_pac_get_buffer: Invalid argument
*** glibc detected *** /usr/libexec/negotiate_kerberos_auth: double free or corruption (fasttop): 0x000000000159af00 ***
======= Backtrace: =========
/lib/libc.so.6(+0x71e16)[0x7f6bf3b3ae16]
/lib/libc.so.6(cfree+0x6c)[0x7f6bf3b3fb8c]
/usr/lib/libkrb5.so.3(krb5_free_data+0x12)[0x7f6bf54a3472]
/usr/libexec/negotiate_kerberos_auth[0x4044e9]
/usr/libexec/negotiate_kerberos_auth[0x40319c]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f6bf3ae7c8d]
/usr/libexec/negotiate_kerberos_auth[0x4018b9]
======= Memory map: ========
00400000-00407000 r-xp 00000000 08:12 523186 /usr/libexec/negotiate_kerberos_auth (deleted)
00607000-00608000 rw-p 00007000 08:12 523186 /usr/libexec/negotiate_kerberos_auth (deleted)
00608000-0060c000 rw-p 00000000 00:00 0
01594000-015b5000 rw-p 00000000 00:00 0 [heap]
7f6bec000000-7f6bec021000 rw-p 00000000 00:00 0
7f6bec021000-7f6bf0000000 ---p 00000000 00:00 0
7f6bf3090000-7f6bf309c000 r-xp 00000000 08:12 130570 /lib/libnss_files-2.11.3.so
7f6bf309c000-7f6bf329b000 ---p 0000c000 08:12 130570 /lib/libnss_files-2.11.3.so
7f6bf329b000-7f6bf329c000 r--p 0000b000 08:12 130570 /lib/libnss_files-2.11.3.so
7f6bf329c000-7f6bf329d000 rw-p 0000c000 08:12 130570 /lib/libnss_files-2.11.3.so
7f6bf329d000-7f6bf32a3000 r-xp 00000000 08:12 501154 /usr/lib/libnfnetlink.so.0.2.0
7f6bf32a3000-7f6bf34a2000 ---p 00006000 08:12 501154 /usr/lib/libnfnetlink.so.0.2.0
7f6bf34a2000-7f6bf34a3000 rw-p 00005000 08:12 501154 /usr/lib/libnfnetlink.so.0.2.0
7f6bf34a3000-7f6bf34ba000 r-xp 00000000 08:12 130795 /lib/libpthread-2.11.3.so
7f6bf34ba000-7f6bf36b9000 ---p 00017000 08:12 130795 /lib/libpthread-2.11.3.so
7f6bf36b9000-7f6bf36ba000 r--p 00016000 08:12 130795 /lib/libpthread-2.11.3.so
7f6bf36ba000-7f6bf36bb000 rw-p 00017000 08:12 130795 /lib/libpthread-2.11.3.so
7f6bf36bb000-7f6bf36bf000 rw-p 00000000 00:00 0
7f6bf36bf000-7f6bf36c1000 r-xp 00000000 08:12 130572 /lib/libkeyutils.so.1.3
7f6bf36c1000-7f6bf38c0000 ---p 00002000 08:12 130572 /lib/libkeyutils.so.1.3
7f6bf38c0000-7f6bf38c1000 rw-p 00001000 08:12 130572 /lib/libkeyutils.so.1.3
7f6bf38c1000-7f6bf38c8000 r-xp 00000000 08:12 497948 /usr/lib/libkrb5support.so.0.1
7f6bf38c8000-7f6bf3ac8000 ---p 00007000 08:12 497948 /usr/lib/libkrb5support.so.0.1
7f6bf3ac8000-7f6bf3ac9000 rw-p 00007000 08:12 497948 /usr/lib/libkrb5support.so.0.1
7f6bf3ac9000-7f6bf3c22000 r-xp 00000000 08:12 130805 /lib/libc-2.11.3.so
7f6bf3c22000-7f6bf3e21000 ---p 00159000 08:12 130805 /lib/libc-2.11.3.so
7f6bf3e21000-7f6bf3e25000 r--p 00158000 08:12 130805 /lib/libc-2.11.3.so
7f6bf3e25000-7f6bf3e26000 rw-p 0015c000 08:12 130805 /lib/libc-2.11.3.so
7f6bf3e26000-7f6bf3e2b000 rw-p 00000000 00:00 0
7f6bf3e2b000-7f6bf3e41000 r-xp 00000000 08:12 130565 /lib/libgcc_s.so.1
7f6bf3e41000-7f6bf4040000 ---p 00016000 08:12 130565 /lib/libgcc_s.so.1
7f6bf4040000-7f6bf4041000 rw-p 00015000 08:12 130565 /lib/libgcc_s.so.1
7f6bf4041000-7f6bf40c1000 r-xp 00000000 08:12 130829 /lib/libm-2.11.3.so
7f6bf40c1000-7f6bf42c1000 ---p 00080000 08:12 130829 /lib/libm-2.11.3.so
7f6bf42c1000-7f6bf42c2000 r--p 00080000 08:12 130829 /lib/libm-2.11.3.so
7f6bf42c2000-7f6bf42c3000 rw-p 00081000 08:12 130829 /lib/libm-2.11.3.so
7f6bf42c3000-7f6bf43b9000 r-xp 00000000 08:12 504357 /usr/lib/libstdc++.so.6.0.13
7f6bf43b9000-7f6bf45b9000 ---p 000f6000 08:12 504357 /usr/lib/libstdc++.so.6.0.13
7f6bf45b9000-7f6bf45c0000 r--p 000f6000 08:12 504357 /usr/lib/libstdc++.so.6.0.13
7f6bf45c0000-7f6bf45c2000 rw-p 000fd000 08:12 504357 /usr/lib/libstdc++.so.6.0.13
7f6bf45c2000-7f6bf45d7000 rw-p 00000000 00:00 0
7f6bf45d7000-7f6bf45d9000 r-xp 00000000 08:12 130828 /lib/libdl-2.11.3.so
7f6bf45d9000-7f6bf47d9000 ---p 00002000 08:12 130828 /lib/libdl-2.11.3.so
7f6bf47d9000-7f6bf47da000 r--p 00002000 08:12 130828 /lib/libdl-2.11.3.so
7f6bf47da000-7f6bf47db000 rw-p 00003000 08:12 130828 /lib/libdl-2.11.3.so
7f6bf47db000-7f6bf47e2000 r-xp 00000000 08:12 130799 /lib/librt-2.11.3.so
7f6bf47e2000-7f6bf49e1000 ---p 00007000 08:12 130799 /lib/librt-2.11.3.so
7f6bf49e1000-7f6bf49e2000 r--p 00006000 08:12 130799 /lib/librt-2.11.3.so
7f6bf49e2000-7f6bf49e3000 rw-p 00007000 08:12 130799 /lib/librt-2.11.3.so
7f6bf49e3000-7f6bf49f4000 r-xp 00000000 08:12 498554 /usr/lib/libnetfilter_conntrack.so.3.0.0
7f6bf49f4000-7f6bf4bf3000 ---p 00011000 08:12 498554 /usr/lib/libnetfilter_conntrack.so.3.0.0
7f6bf4bf3000-7f6bf4bf5000 rw-p 00010000 08:12 498554 /usr/lib/libnetfilter_conntrack.so.3.0.0
7f6bf4bf5000-7f6bf4c08000 r-xp 00000000 08:12 130780 /lib/libresolv-2.11.3.so
7f6bf4c08000-7f6bf4e07000 ---p 00013000 08:12 130780 /lib/libresolv-2.11.3.so
7f6bf4e07000-7f6bf4e08000 r--p 00012000 08:12 130780 /lib/libresolv-2.11.3.so
7f6bf4e08000-7f6bf4e09000 rw-p 00013000 08:12 130780 /lib/libresolv-2.11.3.so
7f6bf4e09000-7f6bf4e0b000 rw-p 00000000 00:00 0
7f6bf4e0b000-7f6bf4e20000 r-xp 00000000 08:12 130813 /lib/libnsl-2.11.3.so
7f6bf4e20000-7f6bf501f000 ---p 00015000 08:12 130813 /lib/libnsl-2.11.3.so
7f6bf501f000-7f6bf5020000 r--p 00014000 08:12 130813 /lib/libnsl-2.11.3.so
7f6bf5020000-7f6bf5021000 rw-p 00015000 08:12 130813 /lib/libnsl-2.11.3.so
7f6bf5021000-7f6bf5023000 rw-p 00000000 00:00 0
7f6bf5023000-7f6bf5026000 r-xp 00000000 08:12 130566 /lib/libcom_err.so.2.1
7f6bf5026000-7f6bf5225000 ---p 00003000 08:12 130566 /lib/libcom_err.so.2.1
7f6bf5225000-7f6bf5226000 rw-p 00002000 08:12 130566 /lib/libcom_err.so.2.1
7f6bf5226000-7f6bf524b000 r-xp 00000000 08:12 498628 /usr/lib/libk5crypto.so.3.1
7f6bf524b000-7f6bf544a000 ---p 00025000 08:12 498628 /usr/lib/libk5crypto.so.3.1
7f6bf544a000-7f6bf544c000 rw-p 00024000 08:12 498628 /usr/lib/libk5crypto.so.3.1
7f6bf544c000-7f6bf550a000 r-xp 00000000 08:12 497972 /usr/lib/libkrb5.so.3.3
7f6bf550a000-7f6bf5709000 ---p 000be000 08:12 497972 /usr/lib/libkrb5.so.3.3
7f6bf5709000-7f6bf5714000 rw-p 000bd000 08:12 497972 /usr/lib/libkrb5.so.3.3
7f6bf5714000-7f6bf5747000 r-xp 00000000 08:12 497968 /usr/lib/libgssapi_krb5.so.2.2
7f6bf5747000-7f6bf5947000 ---p 00033000 08:12 497968 /usr/lib/libgssapi_krb5.so.2.2
7f6bf5947000-7f6bf5949000 rw-p 00033000 08:12 497968 /usr/lib/libgssapi_krb5.so.2.2
7f6bf5949000-7f6bf5967000 r-xp 00000000 08:12 130797 /lib/ld-2.11.3.so
7f6bf5b54000-7f6bf5b5d000 rw-p 00000000 00:00 0
7f6bf5b64000-7f6bf5b66000 rw-p 00000000 00:00 0
7f6bf5b66000-7f6bf5b67000 r--p 0001d000 08:12 130797 /lib/ld-2.11.3.so
7f6bf5b67000-7f6bf5b68000 rw-p 0001e000 08:12 130797 /lib/ld-2.11.3.so
7f6bf5b68000-7f6bf5b69000 rw-p 00000000 00:00 0
7fff87760000-7fff8777b000 rw-p 00000000 00:00 0 [stack]
7fff877ff000-7fff87800000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

This is on up to date Debian 6.0.9 .

The relevant squid.conf part doesn't change:

auth_param negotiate program /usr/libexec/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/libexec/negotiate_kerberos_auth -r -s GSS_C_NO_NAME
auth_param negotiate children 200 startup=50 idle=10
auth_param negotiate keep_alive off

nor does krb5.conf

Compile string:

./configure --prefix=/usr --datadir=/usr/share/squid3 --sysconfdir=/etc/squid3 --mandir=/usr/share/man --with-cppunit-basedir=/usr --enable-inline --enable-async-io=8 --enable-storeio=ufs,aufs,diskd --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-underscores --enable-icap-client --enable-follow-x-forwarded-for --enable-auth --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM --enable-ntlm-auth-helpers=smb_lm --enable-digest-auth-helpers=ldap,password --enable-external-acl-helpers=file_userip,LDAP_group,unix_group,wbinfo_group --with-filedescriptors=65536 --with-default-user=proxy --enable-negotiate-auth-helpers=squid_kerb_auth,kerberos,wrapper,SSPI --with-large-files --enable-wccp --enable-linux-netfilter --enable-http-violations --disable-ipv6

I'm not sure how to debug this more or if something changed between 3.3.x and 3.4.x that break this and I missed it.
Received on Thu Jun 19 2014 - 06:40:45 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 19 2014 - 12:00:05 MDT