heimdal 7.8 crash (in OpenLDAP) with spnego/ntlm, is this familiar?

Andrew Bartlett abartlet at samba.org
Tue Nov 26 09:08:06 UTC 2024


On Tue, 2024-11-26 at 08:39 +0000, Ondřej Kuzník wrote:
> On Tue, Nov 26, 2024 at 10:41:12AM +1300, Andrew Bartlett wrote:
> > On Mon, 2024-11-25 at 16:08 +0200, Nadezhda Ivanova via samba-technical 
> > wrote:
> > > Hi team,
> > > An OpenLDAP user encountered this issue, and since Samba also uses
> > > Heimdal too, we were wondering if maybe it has happened in Samba as
> > > well and was fixed? Do you think it is something that can affect
> > > Samba? There are back traces in the issue but no steps to reproduce,
> > > it seems to happen randomly in their environment, and we haven't had
> > > any feedback from the Heimdal team yet.
> > > I could not find a relevant issue in the Samba bugzilla or the
> > > commits, but perhaps one of you remembers something?
> > > https://github.com/heimdal/heimdal/issues/1189
> > 
> > Samba strictly avoids using the Heimdal SPENGO and NTLM layers, only
> > selecting the GSS-Krb5 mech to use our more mature internal
> > implementation and so avoid this kind of issue
> 
> Hi Andrew,
> thanks for coming back to us, are you saying Samba got rid of the MEMORY
> credential cache as well, the suspected culprit here[0]?

No, just that because Samba has done NTLMSSP since almost forever, we
always preferred our code that we closely tie to our credentials and
authentication stack over outsourcing that to an external library.

Any issues with the MEMORY credentials cache, if not just a matter of
how it is used in NTLMSSP, could still bite us.

> Also are you aware of a way to control what mechs are enabled/disabled
> through configuration?

No, we just don't call any of the mechs that can choose other mechs, we
just call directly with the the gsskrb5 OIDs.

Andrew Bartlett
-- 
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba



More information about the samba-technical mailing list