Bug#880393: libsasl2-modules-gssapi-heimdal seems built against MIT

Johan Wassberg jocar at su.se
Tue Oct 31 07:33:41 UTC 2017 

Package: libsasl2-modules-gssapi-heimdal
Version: 2.1.27~101-g0780600+dfsg-3
Severity: important

Dear Maintainer,

I think something is fishy with the package "libsasl2-modules-gssapi-heimdal".
I suspect that the package is built against MIT instead of Heimdal.

Trying to migrate a Xenial machine to Stretch I noticed a difference in
behavior when using `saslauthd` in a Postfix chroot - configs that
haven't been required before was now required and `saslauthd` is
complaing about settings that I have never seen with our previous setup. We
have always used the Heimdal Kerberos libraries and therefore always
used "libsasl2-modules-gssapi-heimdal" for `saslauthd`.

Couldn't find any upstream changes in either Heimdal or Cyrus SASL which
would explain my issuses so I went digging in the Debian package
instead.
Found that Heimdal was ripped out from the package(s) in October 24
2016:
    * 004977091b89363daa04301e89a045e7e2ffbad8
    * b9158ab7d2bc71a026d417982fee61bc854935f4
    * b334c34bce70f20d85ef0e86e79c6310b69f7345
And added again on Dec 31:
    * f382638d18a1e1e75560076d0cb1482e0b4dc613

Unfortunately the package(s) has moved a lot between removal and reinstatement
so I can't get a clean diff over the changes. But I suspect that the
reinstatement didn't go as planned.

>From Jessie:
```
# dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25
libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25

# ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25
        linux-vdso.so.1 (0x00007fffc877e000)
        libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007fd5b206a000)
        libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007fd5b1ddb000)
        libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007fd5b1b2b000)
        libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007fd5b1915000)
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fd5b16de000)
        libcrypto.so.1.0.0 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fd5b12e1000)
        libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fd5b10dd000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fd5b0ec6000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd5b0b1a000)
        libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007fd5b0911000)
        libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007fd5b06dc000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fd5b04be000)
        libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007fd5b0295000)
        libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007fd5b0086000)
        libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007fd5afe39000)
        libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007fd5afb70000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fd5af96c000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd5b24ba000)

# strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep "MIT|HEIM"
HEIMDAL_GSS_2.0
```

>From Ubuntu Xenial:
```
# dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25
libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25

# ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25
        linux-vdso.so.1 =>  (0x00007ffd967d4000)
        libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007f818c61c000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f818c252000)
        libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007f818c048000)
        libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007f818bdbe000)
        libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007f818bb1c000)
        libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f818b917000)
        libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007f818b6e4000)
        libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007f818b4ce000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f818b2b0000)
        /lib64/ld-linux-x86-64.so.2 (0x0000559426341000)
        libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007f818b087000)
        libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007f818ae78000)
        libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007f818ac2c000)
        libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f818a957000)
        libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f818a71f000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f818a51a000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f818a2ff000)

# strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep "MIT|HEIM"
HEIMDAL_GSS_2.0
```

>From Stretch:
```
# dpkg -S /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25
libsasl2-modules-gssapi-heimdal:amd64: /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25

# ldd /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25
        linux-vdso.so.1 (0x00007ffd97762000)
        libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007f218ad06000)
        libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007f218aa2c000)
        libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007f218a7f9000)
        libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f218a5f5000)
        libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f218a3de000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f218a03f000)
        libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007f2189e33000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f2189c2f000)
        libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007f2189a2b000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f218980e000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f218b15a000)

# strings /usr/lib/x86_64-linux-gnu/sasl2/libgssapiv2.so.2.0.25 | egrep "MIT|HEIM"
gssapi_krb5_2_MIT
```

As you can see from my examples all the older dists seems to be built against
Heimdal and contains HEIMDAL in the SO file but in Stretch the file now contains
MIT and `ldd` gives no hint of any Heimdal libraries. This makes me think that
"libsasl2-modules-gssapi-heimdal" is built again the wrong Kerberos library.

Let me know if there is any additional data I can provide in order to
straighten this issue.

--
jocar

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libsasl2-modules-gssapi-heimdal depends on:
ii  libc6             2.24-11+deb9u1
ii  libcomerr2        1.43.4-2
ii  libgssapi-krb5-2  1.15-1+deb9u1
ii  libk5crypto3      1.15-1+deb9u1
ii  libkrb5-3         1.15-1+deb9u1
ii  libsasl2-modules  2.1.27~101-g0780600+dfsg-3

libsasl2-modules-gssapi-heimdal recommends no packages.

libsasl2-modules-gssapi-heimdal suggests no packages.

-- no debconf information

More information about the Pkg-cyrus-sasl2-debian-devel mailing list