Bug #58089 for GSSAPI: GSSAPI samples generate either warnings or failures on exit

Thu Jun 03 08:38:00 2010 w.phillip.moore [...] gmail.com - Ticket created

Subject:

GSSAPI samples generate either warnings or failures on exit

I have just installed GSSAPI-0.27, using perl5.10.1, on several different systems, and discovered a problem common to all of them. On two different Linux systems (CentOS 5.4 and Debian 5.0), using the latest libgssapi_krb5 available on both, glibc generates a backtrace upon exit when gss-client.pl is run, but only when authentication has been successful. On FreeBSD, which includes Heimdal instead of MIT, a similar error occurs, but there is no backtrace generated. The errors remind me of similar issues I had when working on the MQSeries module I developed in the late 1990s: XS reference count leaks. Here's the error you get on FreeBSD, for example: [root@rpefst07 /var/tmp/GSSAPI-0.27/examples]# perl ./gss-client.pl -port 12345 - hostname rpefst07.test.efs -prodid host -mutual ./gss-client.pl: using [host@…:12345] CLIENT::principal [host@…] means going to communicate with server name [host@…] SERVER::accepted connection from client ... CLIENT::gss_init_sec_context success CLIENT::going to identify client to server CLIENT::have token to send ... CLIENT::GSS token length is 583 SERVER::received token (length is 583): CLIENT::sent token to server SERVER::authenticated client name is efsops@… SERVER::Have mutual token to send ... SERVER::GSS token size: 161 SERVER::sent token (length is 161) SERVER::waiting for request ... CLIENT::Mutual auth requested ... CLIENT::got mutual auth token from server CLIENT::mutual auth token length is 161 CLIENT::gss_init_sec_context success CLIENT::confirmed server identity from mutual token CLIENT::authenticated server name is host@… Argument "" isn't numeric in null operation at ./gss-client.pl line 153. (in cleanup) oid has no value at ./gss-client.pl line 153. Line 153 is "exit 0", of course. This only occurs upon exit. On FreeBSD< this is just an annoying warning, since the code still exits 0. However, on both CentOS and Debian, the script fails and generate the following backtrace: rpefst03:/var/tmp/GSSAPI-0.27/examples# perl ./gss-client.pl -port 12345 -hostname rpefst03.test.efs -prodid host ./gss-client.pl: using [host@…:12345] CLIENT::principal [host@…] means going to communicate with server name [host@…] SERVER::accepted connection from client ... CLIENT::gss_init_sec_context success CLIENT::going to identify client to server CLIENT::have token to send ... CLIENT::GSS token length is 526 SERVER::received token (length is 526): CLIENT::sent token to server *** glibc detected *** perl: munmap_chunk(): invalid pointer: 0x00007f0e4a2ee798 *** ======= Backtrace: ========= /lib/libc.so.6[0x7f0e4ab8c928] /usr/lib/libgssapi_krb5.so.2[0x7f0e4a2d8689] /usr/efs/lib/perl5/site_perl/5.10.1/x86_64-linux-thread- multi/auto/GSSAPI/GSSAPI.so(XS_GSSAPIOID_DESTROY+0x158)[0x7f0e4a5078d8] perl(Perl_pp_entersub+0x594)[0x4942d4] perl(Perl_call_sv+0x64e)[0x43638e] perl(Perl_sv_clear+0x157)[0x4a7017] perl(Perl_sv_free2+0x52)[0x4a77b2] perl(Perl_leave_scope+0xd9a)[0x4c4f2a] perl(Perl_pp_leave+0x106)[0x494936] perl(Perl_runops_standard+0x12)[0x492782] perl(perl_run+0x30f)[0x436cdf] perl(main+0xd4)[0x4217e4] /lib/libc.so.6(libc_start_main+0xe6)[0x7f0e4ab371a6] perl(sin+0xc1)[0x421649] ======= Memory map: ======== 00400000-00557000 r-xp 00000000 08:01 304271 /usr/efs-2010-06-01/bin/perl 00756000-0075a000 rw-p 00156000 08:01 304271 /usr/efs-2010-06-01/bin/perl 0075a000-00a30000 rw-p 0075a000 00:00 0 [heap] 7f0e48db4000-7f0e48dca000 r-xp 00000000 08:01 466035 /lib/libgcc_s.so.1 7f0e48dca000-7f0e48fca000 ---p 00016000 08:01 466035 /lib/libgcc_s.so.1 7f0e48fca000-7f0e48fcb000 rw-p 00016000 08:01 466035 /lib/libgcc_s.so.1 7f0e48fcb000-7f0e48fcf000 r-xp 00000000 08:01 466383 /lib/libnss_dns-2.7.so 7f0e48fcf000-7f0e491ce000 ---p 00004000 08:01 466383 /lib/libnss_dns-2.7.so 7f0e491ce000-7f0e491d0000 rw-p 00003000 08:01 466383 /lib/libnss_dns-2.7.so 7f0e491d0000-7f0e491da000 r-xp 00000000 08:01 466364 /lib/libnss_files-2.7.so 7f0e491da000-7f0e493da000 ---p 0000a000 08:01 466364 /lib/libnss_files-2.7.so 7f0e493da000-7f0e493dc000 rw-p 0000a000 08:01 466364 /lib/libnss_files-2.7.so 7f0e493dc000-7f0e493df000 r-xp 00000000 08:01 368524 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/MIME/Base64/Base64.so 7f0e493df000-7f0e495de000 ---p 00003000 08:01 368524 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/MIME/Base64/Base64.so 7f0e495de000-7f0e495df000 rw-p 00002000 08:01 368524 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/MIME/Base64/Base64.so 7f0e495df000-7f0e495ef000 r-xp 00000000 08:01 466382 /lib/libresolv-2.7.so 7f0e495ef000-7f0e497ef000 ---p 00010000 08:01 466382 /lib/libresolv-2.7.so 7f0e497ef000-7f0e497f1000 rw-p 00010000 08:01 466382 /lib/libresolv-2.7.so 7f0e497f1000-7f0e497f3000 rw-p 7f0e497f1000 00:00 0 7f0e497f3000-7f0e497f5000 r-xp 00000000 08:01 466034 /lib/libkeyutils-1.2.so 7f0e497f5000-7f0e499f4000 ---p 00002000 08:01 466034 /lib/libkeyutils-1.2.so 7f0e499f4000-7f0e499f5000 rw-p 00001000 08:01 466034 /lib/libkeyutils-1.2.so 7f0e499f5000-7f0e499fc000 r-xp 00000000 08:01 279311 /usr/lib/libkrb5support.so.0.1 7f0e499fc000-7f0e49bfc000 ---p 00007000 08:01 279311 /usr/lib/libkrb5support.so.0.1 7f0e49bfc000-7f0e49bfd000 rw-p 00007000 08:01 279311 /usr/lib/libkrb5support.so.0.1 7f0e49bfd000-7f0e49c00000 r-xp 00000000 08:01 466085 /lib/libcom_err.so.2.1 7f0e49c00000-7f0e49dff000 ---p 00003000 08:01 466085 /lib/libcom_err.so.2.1 7f0e49dff000-7f0e49e00000 rw-p 00002000 08:01 466085 /lib/libcom_err.so.2.1 7f0e49e00000-7f0e49e24000 r-xp 00000000 08:01 279312 /usr/lib/libk5crypto.so.3.1 7f0e49e24000-7f0e4a024000 ---p 00024000 08:01 279312 /usr/lib/libk5crypto.so.3.1 7f0e4a024000-7f0e4a026000 rw-p 00024000 08:01 279312 /usr/lib/libk5crypto.so.3.1 7f0e4a026000-7f0e4a0c3000 r-xp 00000000 08:01 279309 /usr/lib/libkrb5.so.3.3 7f0e4a0c3000-7f0e4a2c3000 ---p 0009d000 08:01 279309 /usr/lib/libkrb5.so.3.3 7f0e4a2c3000-7f0e4a2c7000 rw-p 0009d000 08:01 279309 /usr/lib/libkrb5.so.3.3 7f0e4a2c7000-7f0e4a2f2000 r-xp 00000000 08:01 279308 /usr/lib/libgssapi_krb5.so.2.2 7f0e4a2f2000-7f0e4a4f1000 ---p 0002b000 08:01 279308 /usr/lib/libgssapi_krb5.so.2.2 7f0e4a4f1000-7f0e4a4f3000 rw-p 0002a000 08:01 279308 /usr/lib/libgssapi_krb5.so.2.2 7f0e4a4f3000-7f0e4a50e000 r-xp 00000000 08:01 354228 /usr/efs-2010-06- 01/lib/perl5/site_perl/5.10.1/x86_64-linux-thread-multi/auto/GSSAPI/GSSAPI.so 7f0e4a50e000-7f0e4a70d000 ---p 0001b000 08:01 354228 /usr/efs-2010-06- 01/lib/perl5/site_perl/5.10.1/x86_64-linux-thread-multi/auto/GSSAPI/GSSAPI.so 7f0e4a70d000-7f0e4a70e000 rw-p 0001a000 08:01 354228 /usr/efs-2010-06- 01/lib/perl5/site_perl/5.10.1/x86_64-linux-thread-multi/auto/GSSAPI/GSSAPI.so 7f0e4a70e000-7f0e4a713000 r-xp 00000000 08:01 368478 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/Socket/Socket.so 7f0e4a713000-7f0e4a912000 ---p 00005000 08:01 368478 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/Socket/Socket.so 7f0e4a912000-7f0e4a914000 rw-p 00004000 08:01 368478 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/Socket/Socket.so 7f0e4a914000-7f0e4a919000 r-xp 00000000 08:01 368383 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/IO/IO.so 7f0e4a919000-7f0e4ab18000 ---p 00005000 08:01 368383 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/IO/IO.so 7f0e4ab18000-7f0e4ab19000 rw-p 00004000 08:01 368383 /usr/efs-2010-06- 01/lib/perl5/5.10.1/x86_64-linux-thread-multi/auto/IO/IO.so 7f0e4ab19000-7f0e4ac63000 r-xp 00000000 08:01 466381 /lib/libc-2.7.so 7f0e4ac63000-7f0e4ae62000 ---p 0014a000 08:01 466381 /lib/libc-2.7.so 7f0e4ae62000-7f0e4ae65000 r--p 00149000 08:01 466381 /lib/libc-2.7.so 7f0e4ae65000-7f0e4ae67000 rw-p 0014c000 08:01 466381 /lib/libc-2.7.so 7f0e4ae67000-7f0e4ae6c000 rw-p 7f0e4ae67000 00:00 0 7f0e4ae6c000-7f0e4ae82000 r-xp 00000000 08:01 466384 /lib/libpthread-2.7.so 7f0e4ae82000-7f0e4b082000 ---p 00016000 08:01 466384 /lib/libpthread-2.7.so 7f0e4b082000-7f0e4b084000 rw-p 00016000 08:01 466384 /lib/libpthread-2.7.so 7f0e4b084000-7f0e4b088000 rw-p 7f0e4b084000 00:00 0 7f0e4b088000-7f0e4b08a000 r-xp 00000000 08:01 466367 /lib/libutil-2.7.so 7f0e4b08a000-7f0e4b289000 ---p 00002000 08:01 466367 /lib/libutil-2.7.so 7f0e4b289000-7f0e4b28b000 rw-p 00001000 08:01 466367 /lib/libutil-2.7.so 7f0e4b28b000-7f0e4b293000 r-xp 00000000 08:01 466378 /lib/libcrypt-2.7.so 7f0e4b293000-7f0e4b493000 ---p 00008000 08:01 466378 /lib/libcrypt-2.7.so 7f0e4b493000-7f0e4b495000 rw-p 00008000 08:01 466378 /lib/libcrypt-2.7.so 7f0e4b495000-7f0e4b4c3000 rw-p 7f0e4b495000 00:00 0 7f0e4b4c3000-7f0e4b545000 r-xp 00000000 08:01 466386 /lib/libm-2.7.so 7f0e4b545000-7f0e4b744000 ---p 00082000 08:01 466386 /lib/libm-2.7.so 7f0e4b744000-7f0e4b746000 rw-p 00081000 08:01 466386 /lib/libm-2.7.so 7f0e4b746000-7f0e4b748000 r-xp 00000000 08:01 466370 /lib/libdl-2.7.so 7f0e4b748000-7f0e4b948000 ---p 00002000 08:01 466370 /lib/libdl-2.7.so 7f0e4b948000-7f0e4b94a000 rw-p 00002000 08:01 466370 /lib/libdl-2.7.so 7f0e4b94a000-7f0e4b95f000 r-xp 00000000 08:01 466379 /lib/libnsl-2.7.so 7f0e4b95f000-7f0e4bb5e000 ---p 00015000 08:01 466379 /lib/libnsl-2.7.so 7f0e4bb5e000-7f0e4bb60000 rw-p 00014000 08:01 466379 /lib/libnsl-2.7.so 7f0e4bb60000-7f0e4bb62000 rw-p 7f0e4bb60000 00:00 0 7f0e4bb62000-7f0e4bb7e000 r-xp 00000000 08:01 466372 /lib/ld-2.7.so 7f0e4bc38000-7f0e4bd72000 r--p 00000000 08:01 295075 /usr/lib/locale/locale-archive 7f0e4bd72000-7f0e4bd76000 rw-p 7f0e4bd72000 00:00 0 7f0e4bd7a000-7f0e4bd7d000 rw-p 7f0e4bd7a000 00:00 0 7f0e4bd7d000-7f0e4bd7f000 rw-p 0001b000 08:01 466372 /lib/ld-2.7.so 7ffffffe9000-7fffffffe000 rw-p 7ffffffea000 00:00 0 [stack] 7fffffffe000-7ffffffff000 r-xp 7fffffffe000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted When authentication is not successful, say after running kdestroy to purge the client's credentials cache, then the script generates a warning as well: [root@rpefst01 examples]# perl ./gss-client.pl -port 12345 -hostname rpefst01.test.efs - prodid host -mutual ./gss-client.pl: using [host@…:12345] CLIENT::principal [host@…] means going to communicate with server name [host@…] SERVER::accepted connection from client ... CLIENT::Unable to initialize security context: MAJOR::Unspecified GSS failure. Minor code may provide more information MINOR::Unknown code krb5 195 (in cleanup) oid has no value at ./gss-client.pl line 171. Use of uninitialized value in subroutine entry at ./gss-server.pl line 78. SERVER::received token (length is 0): SERVER::waiting for request ... Argument "" isn't numeric in null operation at ./gss-client.pl line 171. I am not new to Kerberos or XS programming, but I am new to GSSAPI. I fought numerous similar errors in the development of the MQSeries CPAN module, and they were all subtle issues about managing the reference counts of SVs and IVs and other perl data structures created in the XS code. I have not included the specific krb5 library versions here, since the same error occurs on numerous platforms, and I think we can safely assume the error is in the GSSAPI XS code. Somewhere.... Just have to find it now. I'll be spending time investigation this today, and will follow up with additional information as I have it.

Thu Jun 03 09:03:51 2010 w.phillip.moore [...] gmail.com - Correspondence added

FWIW, I've just verified that the problem is reproducible, at least on CentOS, for every GSSAPI release from 0.22 through 0.27 (all the ones available in the author's download directory). Investigation continues.... Next, I'll be compiling debug versions of perl5.10.1 and GSSAPI, and see what new information I can glean.

Thu Jun 03 09:03:52 2010 The RT System itself - Status changed from 'new' to 'open'

Thu Jun 03 09:48:14 2010 achim [...] grolmsnet.de - Correspondence added

Subject:	Re: [rt.cpan.org #58089] GSSAPI samples generate either warnings or failures on exit
Date:	Thu, 3 Jun 2010 15:47:58 +0200
To:	bug-GSSAPI [...] rt.cpan.org
From:	Achim Grolms <achim [...] grolmsnet.de>

On Thursday 03 June 2010, Phillip Moore via RT wrote: Show quoted text

> FWIW, I've just verified that the problem is reproducible, at least on > CentOS, for every GSSAPI release from 0.22 through 0.27 (all the ones > available in the author's download directory).

Hi Phillip, thank you very much for investigating! If you need older Versions of code: You can access older releases by SVN at <https://perlgssapi.svn.sourceforge.net/svnroot/perlgssapi/GSSAPI/releases> More older Versions are available at <http://search.cpan.org/~pguen/> Or the complete set Versions in Backpan: to 0.13 at <http://backpan.perl.org/authors/id/P/PG/PGUEN/> 0.14 until now at <http://backpan.perl.org/authors/id/A/AG/AGROLMS/> Thank you very much for your work! Best Regards, Achim

Thu Jun 03 10:00:34 2010 w.phillip.moore [...] gmail.com - Correspondence added

You're more than welcome. However, I really don't want to keep going back in time, if at all possible. Are you able to run the gss-server.pl and gss-client.pl examples without errors on any platform right now? If so, perhaps comparing the versions of kerberos, perl, etc between a working and non- working environment will provide some useful clues. I've just verified that the problems happens both for threaded and non-threaded perl, and I have a debugging perl to work with as well. Sadly, the last time I tried to figure out how to step through XS code inside gdb, I was never able to figure it out (this was 10 years ago, when working on the MQSeries code). This is a critical issue to me: we need to add Kerberos support to our application, and I really would prefer to use the GSSAPI, so getting this working is very important to me. Any additional clues of suggestions for where to investigate next would be very welcome. On Thu Jun 03 09:48:14 2010, achim@grolmsnet.de wrote: Show quoted text

> On Thursday 03 June 2010, Phillip Moore via RT wrote: >

> > FWIW, I've just verified that the problem is reproducible, at least on > > CentOS, for every GSSAPI release from 0.22 through 0.27 (all the ones > > available in the author's download directory).

> > Hi Phillip, > > thank you very much for investigating! > > If you need older Versions of code: > > You can access older releases by SVN at > <https://perlgssapi.svn.sourceforge.net/svnroot/perlgssapi/GSSAPI/releases> > > > More older Versions are available at > <http://search.cpan.org/~pguen/> > > > > Or the complete set Versions in Backpan: > > > to 0.13 at > <http://backpan.perl.org/authors/id/P/PG/PGUEN/> > > 0.14 until now at > <http://backpan.perl.org/authors/id/A/AG/AGROLMS/> > > Thank you very much for your work! > > Best Regards, > Achim >

Thu Jun 03 10:37:40 2010 achim [...] grolmsnet.de - Correspondence added

CC:	bug-GSSAPI [...] rt.cpan.org
Subject:	Re: [rt.cpan.org #58089] GSSAPI samples generate either warnings or failures on exit
Date:	Thu, 3 Jun 2010 16:37:28 +0200
To:	w.phillip.moore [...] gmail.com
From:	Achim Grolms <achim [...] grolmsnet.de>

On Thursday 03 June 2010, Phillip Moore via RT wrote: Show quoted text

> Queue: GSSAPI > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=58089 >

Show quoted text

> Are you able to run the gss-server.pl and gss-client.pl > examples without errors on any platform right now?

Hi Phillip, 1. I've never used gss-client.pl and gss-server.pl by myself, and currently I have no access to my Test-environment with the KDC and keytabs required. (I will setup one for this test, but at the moment I have no access). 2. gss-client.pl makes use of display() method, and GSSAPI 0.28 includes some fixes related to the buffers used by display(). Can you please give the SVN version at https://perlgssapi.svn.sourceforge.net/svnroot/perlgssapi/GSSAPI/trunk/GSSAPI a try if this version shows the same results? 3. gss-client.pl makes use of the GSSAPI calls 'display()' and 'init()'. Can you do a quick "debug" of your gss-client.pl and uncomment the calls to 'display()' (Line 117-119) to check if the problems result by the use of 'display()'? 4. Does your test fail when not running with '-mutual' flag? Best Regards, Achim

Thu Jun 03 11:29:51 2010 w.phillip.moore@gmail.com - Correspondence added

CC:	bug-GSSAPI [...] rt.cpan.org
Subject:	Re: [rt.cpan.org #58089] GSSAPI samples generate either warnings or failures on exit
Date:	Thu, 3 Jun 2010 11:29:36 -0400
To:	achim [...] grolmsnet.de
From:	Phillip Moore <w.phillip.moore [...] gmail.com>

Is there a packaged tarball of 0.28 available? That URL leads me to the indiviudual files, which are tedious to download, and highly error-prone. I just verified that after commenting all of the calls to ->display, the same error occurs. I get this with and without the -mutual call. On Thu, Jun 3, 2010 at 10:37 AM, Achim Grolms <achim@grolmsnet.de> wrote: Show quoted text

> On Thursday 03 June 2010, Phillip Moore via RT wrote:

> > Queue: GSSAPI > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=58089 >

> > Are you able to run the gss-server.pl and gss-client.pl > > examples without errors on any platform right now?

> > Hi Phillip, > > 1. I've never used gss-client.pl and gss-server.pl by myself, > and currently I have no access to my Test-environment with the KDC and > keytabs required. (I will setup one for this test, but at the moment I have > no access). > > 2. gss-client.pl makes use of display() method, and GSSAPI 0.28 includes > some > fixes related to the buffers used by display(). > > Can you please give the SVN version at > > https://perlgssapi.svn.sourceforge.net/svnroot/perlgssapi/GSSAPI/trunk/GSSAPI > a try if this version shows the same results? > > 3. gss-client.pl makes use of the GSSAPI calls 'display()' and 'init()'. > > Can you do a quick "debug" of your gss-client.pl and uncomment the calls > to > 'display()' (Line 117-119) > to check if the problems result by the use of 'display()'? > > 4. Does your test fail when not running with '-mutual' flag? > > > Best Regards, > Achim >

Thu Jun 03 17:10:18 2010 w.phillip.moore [...] gmail.com - Correspondence added

First of all, thanks to Achim for working with me remotely to figure this out. We have agreed that there is a reference count leak of some kind in the XS code. Finding it won't be fun. However, the attached patch worksaround the issue seen in the examples, and also sets default CLI arguments for both so that they can be run more easily: ./gss-server.pl & ./gss-client.pl -mutual IOW, all of the arguments are optional now. Thanks again for the module, and the help. I expect to use this code to secure some critical infrastructure now.

Subject:

GSSAPI-0.27.patch

diff -r -u GSSAPI-0.27/examples/gss-client.pl GSSAPI-0.27-patched/examples/gss-client.pl --- GSSAPI-0.27/examples/gss-client.pl 2008-02-02 08:36:21.000000000 -0500 +++ GSSAPI-0.27-patched/examples/gss-client.pl 2010-06-03 17:05:13.000000000 -0400 @@ -6,37 +6,23 @@ use Getopt::Long; use IO::Socket::INET; - +use Sys::Hostname; use GSSAPI; use MIME::Base64; -my %opt; - -unless(GetOptions(\%opt, qw(prodid=s hostname=s port=s mutual))) { - print "$0 needs arguments, provide at least -prodid and -hostname, optionally -port (defauly 10000) or -mutual (for two sided authentication)\n"; - exit(1); -} +my %opt = ( + prodid => 'host', + port => 10000, + hostname => hostname(), +); -if(! $opt{hostname}) { - die "$0: must specify -hostname\n"; -} +GetOptions(\%opt, qw(prodid=s hostname=s port=s mutual)) or + die "Usage: $0 [ --hostname 'hostname' ] [ --prodid 'prodid' ] [ --port 'port' ] [ -mutual ]\n"; -if(! $opt{prodid}) { - die "$0: must specify -prodid\n"; -} - -if(! $opt{port}) { - warn "$0: -port not specified, defaulting to 10000\n"; - $opt{port} = 10000; -} - -if(! $opt{prodid}) { - $opt{prodid} = "host"; -} +my $authtype = $opt{mutual} ? 'mutual' : 'one-way'; warn "$0: using [$opt{prodid}\@$opt{hostname}:$opt{port}]\n"; - # # GSSAPI::Name->import produces $gss_server_name # which is then passed in to GSSAPI::Context::init @@ -48,7 +34,7 @@ my $status = GSSAPI::Name->import(my $gss_server_name, $server_name, gss_nt_service_name); $status || gss_exit("CLIENT::Unable to import server name: $server_name", $status); -$status = $gss_server_name->display(my $display_name, my $type); +$status = $gss_server_name->display(my $display_name); print "CLIENT::principal [$server_name] means going to communicate with server name [$display_name]\n"; my $gss_input_token = q{}; @@ -93,7 +79,7 @@ 0, # input time GSS_C_NO_CHANNEL_BINDINGS, # no channel binding $gss_input_token, # input token - my $out_mech, + undef, my $gss_output_token, my $out_flags, my $out_time); diff -r -u GSSAPI-0.27/examples/gss-server.pl GSSAPI-0.27-patched/examples/gss-server.pl --- GSSAPI-0.27/examples/gss-server.pl 2008-02-02 08:36:21.000000000 -0500 +++ GSSAPI-0.27-patched/examples/gss-server.pl 2010-06-03 17:05:50.000000000 -0400 @@ -12,7 +12,11 @@ use MIME::Base64; -my %opt; +my %opt = ( + keytabfile => '/etc/krb5.keytab', + port => 10000, + hostname => hostname(), +); # # Arguments: @@ -25,16 +29,8 @@ exit(1); } -if(! $opt{port}) { - warn "$0: -port not specified, defaulting to 10000\n"; - $opt{port} = 10000; -} - -if(! $opt{hostname}) { - $opt{hostname} = hostname(); - warn "$0: -name not specified, using hostname result [" . $opt{hostname} . "]\n"; -} warn "$0: using [" . $opt{hostname} .':' .$opt{port} . "]\n"; + # # Servers need keytab files, the only standard so far is /etc/krb5.keytab. # That's the file meant to contain keys for the local machine. It is readable