cups pam auth via ldap segfault

[raffis]

still trying to achieve ldap authentication.
I guess I do not really need to deploy the ldap users via nss to the system, pam auth via ldap should be enough right?
Because it kinda works, I can authenticate (web ui), and most time get the page back but cupsd will crash every time after ~3s.

cups version: built from latest stable release v2.2.8

cups log:

D [08/Jun/2018:11:52:10 +0200] [Client 2] Connection now encrypted.
D [08/Jun/2018:11:52:10 +0200] [Client 2] cupsdSendHeader: code=200, type="(null)", auth_type=0
D [08/Jun/2018:11:52:10 +0200] cupsdSetBusyState: newbusy="Printing jobs and dirty files", busy="Active clients, printing jobs, and dirty files"
D [08/Jun/2018:11:52:10 +0200] [Client 2] POST /printers/kue HTTP/1.1
D [08/Jun/2018:11:52:10 +0200] cupsdSetBusyState: newbusy="Active clients, printing jobs, and dirty files", busy="Printing jobs and dirty files"
D [08/Jun/2018:11:52:10 +0200] [Client 2] Read: status=200, state=6
D [08/Jun/2018:11:52:10 +0200] [Client 2] Authorized as "testuser" using Basic.
D [08/Jun/2018:11:52:10 +0200] cupsdIsAuthorized: username="testuser"

==> /var/log/syslog <==
Jun  8 11:52:10 print001.tam.ch kernel: [2764439.672164] cupsd[10078]: segfault at 7fe6b53df3f0 ip 00007fe6b53df3f0 sp 00007ffd3b13d2e8 error 14

==> /var/log/kern.log <==
Jun  8 11:52:10 print001.tam.ch kernel: [2764439.672164] cupsd[10078]: segfault at 7fe6b53df3f0 ip 00007fe6b53df3f0 sp 00007ffd3b13d2e8 error 14

stacktrace:

Starting program: /usr/sbin/cupsd -f
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff1fae700 (LWP 9634)]

Thread 1 "cupsd" received signal SIGSEGV, Segmentation fault.
0x00007ffff13893f0 in ?? ()
(gdb) bt
#0 0x00007ffff13893f0 in ?? ()
#1 0x00007ffff590f3f3 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#2 0x00007ffff584ac25 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#3 0x00007ffff5846d6a in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#4 0x00007ffff5848f46 in gnutls_record_send () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
#5 0x00007ffff7132d70 in _httpTLSWrite () from /usr/lib/x86_64-linux-gnu/libcups.so.2
#6 0x00007ffff7108816 in ?? () from /usr/lib/x86_64-linux-gnu/libcups.so.2
#7 0x00007ffff7108ceb in httpFlushWrite () from /usr/lib/x86_64-linux-gnu/libcups.so.2
#8 0x00007ffff710cda3 in httpWriteResponse () from /usr/lib/x86_64-linux-gnu/libcups.so.2
#9 0x0000555555576b7b in ?? ()
#10 0x0000000000000000 in ?? ()
(gdb)

Note:
With the builds from ubuntu v2.1.x I get a segfault in libnss_dns:
kernel: [2763212.200780] cupsd[31100]: segfault at 7fd886e983f0 ip 00007fd886e983f0 sp 00007fff8b2338c8 error 14 in libnss_dns-2.23.so[7fd8872bd000+5000

[michaelrsweet]

Does this happen with the default pam module or just pam_ldap?

[raffis]

Does this happen with the default pam module or just pam_ldap?

Looking fine with pam_unix

[michaelrsweet]

I'm guessing that the pam_ldap module is doing something with GNU TLS that is interfering with cupsd's usage. What does ldd show for the pam_ldap.so file?

[raffis]

[root@]---> ldd /lib/x86_64-linux-gnu/security/pam_ldap.so
	linux-vdso.so.1 =>  (0x00007ffed8971000)
	libldap_r-2.4.so.2 => /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 (0x00007f02f4c2e000)
	liblber-2.4.so.2 => /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 (0x00007f02f4a1f000)
	libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f02f47e7000)
	libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007f02f45d9000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f02f420f000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f02f3ff4000)
	libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f02f3dd9000)
	libgssapi.so.3 => /usr/lib/x86_64-linux-gnu/libgssapi.so.3 (0x00007f02f3b98000)
	libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007f02f3868000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f02f364b000)
	libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007f02f3424000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f02f3220000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f02f508b000)
	libheimntlm.so.0 => /usr/lib/x86_64-linux-gnu/libheimntlm.so.0 (0x00007f02f3017000)
	libkrb5.so.26 => /usr/lib/x86_64-linux-gnu/libkrb5.so.26 (0x00007f02f2d8d000)
	libasn1.so.8 => /usr/lib/x86_64-linux-gnu/libasn1.so.8 (0x00007f02f2aeb000)
	libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007f02f28e7000)
	libhcrypto.so.4 => /usr/lib/x86_64-linux-gnu/libhcrypto.so.4 (0x00007f02f26b4000)
	libroken.so.18 => /usr/lib/x86_64-linux-gnu/libroken.so.18 (0x00007f02f249e000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f02f2284000)
	libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007f02f2020000)
	libidn.so.11 => /usr/lib/x86_64-linux-gnu/libidn.so.11 (0x00007f02f1ded000)
	libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007f02f1bda000)
	libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007f02f19a4000)
	libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007f02f1771000)
	libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007f02f14f1000)
	libwind.so.0 => /usr/lib/x86_64-linux-gnu/libwind.so.0 (0x00007f02f12c8000)
	libheimbase.so.1 => /usr/lib/x86_64-linux-gnu/libheimbase.so.1 (0x00007f02f10b9000)
	libhx509.so.5 => /usr/lib/x86_64-linux-gnu/libhx509.so.5 (0x00007f02f0e6e000)
	libsqlite3.so.0 => /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007f02f0b99000)
	libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007f02f0991000)

[root@]---> ldd /usr/sbin/cupsd
	linux-vdso.so.1 =>  (0x00007ffd20946000)
	libcupsmime.so.1 => /usr/lib/x86_64-linux-gnu/libcupsmime.so.1 (0x00007fc22aeb3000)
	libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fc22aca5000)
	libdbus-1.so.3 => /lib/x86_64-linux-gnu/libdbus-1.so.3 (0x00007fc22aa59000)
	libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x00007fc22b4ad000)
	libavahi-common.so.3 => /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 (0x00007fc22a84d000)
	libavahi-client.so.3 => /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 (0x00007fc22a63c000)
	libcups.so.2 => /usr/lib/x86_64-linux-gnu/libcups.so.2 (0x00007fc22a3bc000)
	libgssapi_krb5.so.2 => /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fc22a172000)
	libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fc229f55000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc229b8b000)
	libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fc229964000)
	libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc229760000)
	libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fc22953e000)
	librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fc229336000)
	liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fc229114000)
	libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007fc228e33000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fc22b31a000)
	libgnutls.so.30 => /usr/lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007fc228b03000)
	libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc2288e9000)
	libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fc2285e0000)
	libkrb5.so.3 => /usr/lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fc22830e000)
	libk5crypto.so.3 => /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fc2280df000)
	libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fc227edb000)
	libkrb5support.so.0 => /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fc227cd0000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fc227a60000)
	libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0 (0x00007fc22784c000)
	libp11-kit.so.0 => /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fc2275e8000)
	libidn.so.11 => /usr/lib/x86_64-linux-gnu/libidn.so.11 (0x00007fc2273b5000)
	libtasn1.so.6 => /usr/lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fc2271a2000)
	libnettle.so.6 => /usr/lib/x86_64-linux-gnu/libnettle.so.6 (0x00007fc226f6c000)
	libhogweed.so.4 => /usr/lib/x86_64-linux-gnu/libhogweed.so.4 (0x00007fc226d39000)
	libgmp.so.10 => /usr/lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fc226ab9000)
	libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fc2268b5000)
	libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fc22669a000)
	libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007fc226492000)

Looks like neither can be compiled with openssl instead gnutls.

[michaelrsweet]

It shouldn't be necessary, but if they use GNU TLS in an unsafe way bad things will happen...

Right now the best thing is probably to file a bug on the Ubuntu tracker - I'm not sure which version of pam_ldap Ubuntu is using, or where the GNU TLS dependencies intersect (i.e. is it OpenLDAP or Heimdal or ???) I'll keep this bug open until a root cause is found, then we can determine how best to fix it...

[raffis]

Well it is pam_ldap, I was able to fix the issue with a manually compiled version of https://github.com/arthurdejong/nss-pam-ldapd instead of libpam-ldap.

ubuntu bug related to libpam-ldap: https://bugs.launchpad.net/ubuntu/+source/libpam-ldap/+bug/1776484