Bug#651308: libsasl2-modules-gssapi-mit: buggy autoconf m4 script makes SASL's "keytab" option not work

[Liu Yubao]

Package: libsasl2-modules-gssapi-mit
Version: 2.1.24~rc1.dfsg1+cvs2011-05-23-4
Severity: important

Dear Maintainer,

// This issue still exists in latest 2.1.25.

   * What led up to the situation?

I find slapd doesn't respect "keytab" option in
/etc/ldap/sasl2/slapd.conf when it does SASL authentication,
slapd always reads default keytab file "/etc/krb5.keytab" but slapd
is running as user "openldap" and that file is readable only
by root.

The cause is libsasl2-modules-gssapi-mit's buggy autoconf m4
script, which disables the code snippet to read "keytab" option.

$ grep gsskrb5_register_acceptor_identity /usr/include/ -nr
/usr/include/gssapi/gssapi_krb5.h:164:#define
gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
/usr/include/mit-krb5/gssapi/gssapi_krb5.h:164:#define
gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity
/usr/include/heimdal/gssapi/gssapi_krb5.h:84:GSSAPI_LIB_FUNCTION
OM_uint32 GSSAPI_LIB_CALL gsskrb5_register_acceptor_identity

$ grep gsskrb5_register_acceptor_identity -nr cyrus-sasl2/
cyrus-sasl2/configure:13336:for ac_func in gsskrb5_register_acceptor_identity
cyrus-sasl2/cmulocal/sasl2.m4:271:
AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity)
cyrus-sasl2/config.h.in:125:/* Define to 1 if you have the
`gsskrb5_register_acceptor_identity' function.
cyrus-sasl2/saslauthd/configure:9119:for ac_func in
gsskrb5_register_acceptor_identity
cyrus-sasl2/saslauthd/saslauthd.h.in:58:/* Define to 1 if you have the
`gsskrb5_register_acceptor_identity' function.
cyrus-sasl2/plugins/gssapi.c:1320:
gsskrb5_register_acceptor_identity(keytab_path);

MIT kerberos's header file includes macro "gsskrb5_register_acceptor_identity"
and function "krb5_gss_register_acceptor_identity", but sasl2.m4 script expects
function "gsskrb5_register_acceptor_identity", this works for Heimdal kerberos
but not for MIT kerberos.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

After I forced cyrus-sasl2/plugins/gssapi.c to use
function "krb5_gss_register_acceptor_identity", this package
successfully picked "keytab" option in /etc/ldap/sasl2/slapd.conf,
command "ldapwhoami" authenticated succussfully.

   * What was the outcome of this action?
   * What outcome did you expect instead?

I feel it's better to fix sasl.m4 rather than directly change
plugins/gssapi.c to add more macros, maybe it's even better
to just change /usr/include/mit-krb5/gssapi/gssapi_krb5.h to
use this macro:
#define krb5_gss_register_acceptor_identity gsskrb5_register_acceptor_identity
but this way breaks ABI compatibility.

cyrus-sasl2/doc/sysadmin.html also should be fixed, it claims:

   <p>Applications that wish to use a kerberos mechanism will need access
   to a service key, stored either in a "srvtab" file (Kerberos 4) or a
   "keytab" file (Kerberos 5).  Currently, the keytab file location is
   not configurable and defaults to the system default (probably
   <tt>/etc/krb5.keytab</tt>).

Regards,
Yubao Liu

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=zh_CN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libsasl2-modules-gssapi-mit depends on:
ii  libc6             2.13-21
ii  libcomerr2        1.42~WIP-2011-10-16-1
ii  libgssapi-krb5-2  1.9.1+dfsg-3
ii  libk5crypto3      1.9.1+dfsg-3
ii  libkrb5-3         1.9.1+dfsg-3
ii  libsasl2-modules  2.1.24~rc1.dfsg1+cvs2011-05-23-4
ii  libssl1.0.0       1.0.0e-3

libsasl2-modules-gssapi-mit recommends no packages.

libsasl2-modules-gssapi-mit suggests no packages.

-- no debconf information