HPE Community
Operating System - HP-UX
1834052 Members
2241 Online
110063 Solutions
New Discussion

Not able to use GSSAPI and Digest-MD5

 
SOLVED
Go to solution
LokeshP
New Member

‎02-05-2009 04:06 AM

‎02-05-2009 04:06 AM

Not able to use GSSAPI and Digest-MD5

Hi
I am not able to use the GSSAPI and Digest-MD5 for my sendmail 8.13.3 I have cyrusSASL2.1.22.I am getting following error in the syslog.
Feb 04 05:30:18 unix sm-mta[1037]: unable to dlopen
/usr/lib/sasl2/libdigestmd5.sl.2:
Unresolved symbol: DES_key_sched (code) from
/usr/lib/sasl2/libdigestmd5.sl.2

Feb 04 05:30:18 unix sm-mta[1037]: unable to dlopen
/usr/lib/sasl2/libgssapiv2.sl.2:
Unresolved symbol: GSS_C_NT_HOSTBASED_SERVICE (data) from
/usr/lib/sasl2/libgssapiv2.sl.2

Feb 04 05:30:19 unix sm-mta[1037]: unable to dlopen
/usr/lib/sasl2/libotp.sl.2:
Unresolved symbol: EVP_DigestInit (code) from
/usr/lib/sasl2/libotp.sl.2


Can anybody help me
thanks in advance.
0 Kudos
Reply
9 REPLIES 9
Dennis Handly
Acclaimed Contributor

‎02-05-2009 02:45 PM

‎02-05-2009 02:45 PM

Solution

Re: Not able to use GSSAPI and Digest-MD5

Do you know where these symbols are suppose to be defined?
You can use this to look:
nm -pxAN *.sl* | grep -e DES_key_sched -e EVP_DigestInit ...
Are all three of these shlibs suppose to be loaded at once?
Reply
LokeshP
New Member

‎02-05-2009 10:49 PM

‎02-05-2009 10:49 PM

Re: Not able to use GSSAPI and Digest-MD5

Thanks Dennis,
I used command suggested by you and getting following output :

# nm -pxAN *.sl* | grep -e DES_key_sched
libdigestmd5.sl: 0x00005b18 T DES_key_sched
libdigestmd5.sl: 0x00000000 U DES_key_sched
libdigestmd5.sl.2: 0x00005b18 T DES_key_sched
libdigestmd5.sl.2: 0x00000000 U DES_key_sched
libdigestmd5.sl.2.22:0x00005b18 T DES_key_sched
libdigestmd5.sl.2.22:0x00000000 U DES_key_sched

# nm libdigestmd5.sl.2 | grep -e DES_key_sched
DES_key_sched | |undef |code |
DES_key_sched | 23320|uext |stub |

# nm -pxAN *.sl* | grep -e EVP_DigestInit
libotp.sl: 0x0000cbd8 T EVP_DigestInit
libotp.sl: 0x00000000 U EVP_DigestInit
libotp.sl.2: 0x0000cbd8 T EVP_DigestInit
libotp.sl.2: 0x00000000 U EVP_DigestInit
libotp.sl.2.22: 0x0000cbd8 T EVP_DigestInit
libotp.sl.2.22: 0x00000000 U EVP_DigestInit

# nm libotp.sl.2 | grep -e EVP_DigestInit
EVP_DigestInit | |undef |code |
EVP_DigestInit | 52184|uext |stub |

# nm -pxAN *.sl* | grep -e GSS_C_NT_HOSTBASED_SERVICE
libgssapiv2.sl: 0x00000000 U GSS_C_NT_HOSTBASED_SERVICE
libgssapiv2.sl.2: 0x00000000 U GSS_C_NT_HOSTBASED_SERVICE
libgssapiv2.sl.2.22:0x00000000 U GSS_C_NT_HOSTBASED_SERVICE

# nm libgssapiv2.sl.2 | grep -e GSS_C_NT_HOSTBASED_SERVICE
GSS_C_NT_HOSTBASED_SERVICE| |undef |data

Here it is clearly showing GSS_C_NT_HOSTBASED_SERVICE is undefined.
Can code changes mitigate this issue ?
So please suggest what can I do to mitigate this error.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎02-06-2009 01:27 AM

‎02-06-2009 01:27 AM

Re: Not able to use GSSAPI and Digest-MD5

# nm libdigestmd5.sl.2 | grep -e DES_key_sched
DES_key_sched | |undef |code |
DES_key_sched | 23320|uext |stub |

If in pairs, these are undefined in this shlib.

>Here it is clearly showing GSS_C_NT_HOSTBASED_SERVICE is undefined.
>Can code changes mitigate this issue?

You have to find the shlib that defines these symbols. Or if defined in the executable, they must be exported. You could try those commands on it.
Reply
LokeshP
New Member

‎02-06-2009 02:04 AM

‎02-06-2009 02:04 AM

Re: Not able to use GSSAPI and Digest-MD5

Thanks again Dennis,

I found out other share libraries containing this missing parameters.I found out it by following:

# nm libssl.sl | grep -e DES_key_sched
DES_key_sched | 1214096|extern|code |$CODE$
DES_key_sched | 1214096|extern|entry |

# nm libssl.sl.1 | grep -e DES_key_sched
DES_key_sched | 1214096|extern|code |$CODE$
DES_key_sched | 1214096|extern|entry |

# nm libssl.sl | grep -e EVP_DigestInit
EVP_DigestInit | 1054104|extern|code |$CODE$
EVP_DigestInit | 1054104|extern|entry |
EVP_DigestInit_ex | 1054192|extern|code |$CODE$
EVP_DigestInit_ex | 1054192|extern|entry |

# nm libssl.sl.1 |grep -e EVP_DigestInit
EVP_DigestInit | 1054104|extern|code |$CODE$
EVP_DigestInit | 1054104|extern|entry |
EVP_DigestInit_ex | 1054192|extern|code |$CODE$
EVP_DigestInit_ex | 1054192|extern|entry |

# nm libgssapi_krb5.sl | grep -e GSS_C_NT_HOSTBASED_SERVICE
GSS_C_NT_HOSTBASED_SERVICE|1073750128|extern|data |$SHORTDATA$
GSS_C_NT_HOSTBASED_SERVICE_X|1073750136|extern|data |$SHORTDATA$

I tried using this shared libraries but may be I am using wrong syntax.So can somebody please help me in choosing correct shlib files and syntax of command I should use with them.Please help as I am a newbie to shlib.
Thanks in advance

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎02-06-2009 02:10 AM

‎02-06-2009 02:10 AM

Re: Not able to use GSSAPI and Digest-MD5

>I found out other share libraries containing this missing parameters.

It looks like that's them.

>tried using this shared libraries but may be I am using wrong syntax. So can somebody please help me in choosing correct shlib files and syntax of command I should use with them.

How are you telling your application to dlopen your shlibs? Are you giving them one at a time in a conf file?

Are you creating any of the shlibs? You could create on shlib with all of the others as dependencies so dlopen sees them all at once.
0 Kudos
Reply
LokeshP
New Member

‎02-09-2009 12:54 AM

‎02-09-2009 12:54 AM

Re: Not able to use GSSAPI and Digest-MD5

Thanks Dennis,

I am not creating any of the shlibs.Actually the problem is in the shlib provided by the sasl.But these symbols are defined in shared libraries provided by HP-UX.
I went to shlib folder of the sasl and there I copied the libraries from HP-UX containing those symbols (of course I renamed them so as to fool the sasl.)Then the earlier errors are not coming:

Feb 9 13:55:04 inet32 sendmail[24843]: unable to dlopen /usr/lib/sasl2/libdigestmd5.sl.2: Unresolved symbol: DES_key_sched (code) from /usr/lib/sasl2/libdigestmd5.sl.2

Feb 9 13:55:04 inet32 sendmail[24843]: unable to dlopen /usr/lib/sasl2/libgssapiv2.sl.2: Unresolved symbol: GSS_C_NT_HOSTBASED_SERVICE (data) from /usr/lib/sasl2/libgssapiv2.sl.2

Feb 9 13:55:04 inet32 sendmail[24843]: unable to dlopen /usr/lib/sasl2/libotp.sl.2: Unresolved symbol: EVP_DigestInit (code) from /usr/lib/sasl2/libotp.sl.2

Feb 9 13:55:04 inet32 sendmail[24843]: No worthy mechs found

But now I am getting following error:

Feb 9 14:06:49 inet32 sendmail[25066]: No worthy mechs found

Now I am not able to figure out where the error is.Somebody pleaes help me in solving this issue.

Thanks in advance.
0 Kudos
Reply
Shinji Teragaito_1
Respected Contributor

‎02-11-2009 04:29 PM

‎02-11-2009 04:29 PM

Re: Not able to use GSSAPI and Digest-MD5

I don't know exactly where you copied CyrusSASL from. Are you using
the old Cyrus SASL A.07 or A.08 described in the following support
information ?

HP Sendmail 8.13.3 - SASL Authentication Fails with Internet Express
Cyrus SASL Version A.07 and A.08 (Document ID: c01081585-1)

NOTE: it's available on the ITRC.

CyrusSASL A.10.00-2.1.22 is available on Internet Express 11.11 March 2008.
I'd like to recommend you to use this.

Shinji
0 Kudos
Reply
LokeshP
New Member

‎02-12-2009 08:23 AM

‎02-12-2009 08:23 AM

Re: Not able to use GSSAPI and Digest-MD5

Thanks Shinji,

I am using CyrusSASL A.11.00-2.1.22 from software.hp.com. And all mechanism other than digest-md5 and gss-api are working fine. But I need help in one point that when I did telnet 0 25 it is not showing digest-md5 as well as gss-api in 250 AUTH message. So may be I am faultering in configuration. But I have followed all required steps which are same for all mechanism.

So can please anybody help me in configuration. Please provide sendmail.cf or .mc file if possible.

Thanks in advance.
0 Kudos
Reply
Shinji Teragaito_1
Respected Contributor

‎02-12-2009 09:01 PM

‎02-12-2009 09:01 PM

Re: Not able to use GSSAPI and Digest-MD5

Hi,

I duplicated your problem on the following environment:

HPUX11i-OE-MC B.11.11.0612
KRNG11i B.11.11.09
CyrusSASL A.10.00-2.1.22
Sendmail-Upgrade B.11.11.02.006

The lab already knew your digest-md5 and gssapi problem. The
workaround is to use the cram-md5 mechanism until the Internet Express
team releases the new CyrusSASL binaries.

Can you see CRAM-MD5 in the 250-AUTH line ? Here's my EHLO output:

% telnet localhost 25
EHLO localhost
250-xxxx.yyyy.hp.com Hello root@localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP

Internet Express binaries for 11.11 PA-RISC platform is not available
on software.hp.com. I believe you have to receive the Internet Express
media when the problem is fixed.

Shinji
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.