From owner-freebsd-apache@FreeBSD.ORG Thu Apr 7 13:30:41 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81670106566B; Thu, 7 Apr 2011 13:30:41 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id 0DA998FC08; Thu, 7 Apr 2011 13:30:40 +0000 (UTC) Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr [155.207.33.29]) by vergina.eng.auth.gr (8.14.3/8.14.3) with ESMTP id p37DUcFc067377; Thu, 7 Apr 2011 16:30:39 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <4D9DBC79.1080000@eng.auth.gr> Date: Thu, 07 Apr 2011 16:30:33 +0300 From: George Mamalakis User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110109 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: ohauer@FreeBSD.org References: <4D9C6135.7030501@eng.auth.gr> <4D9CDF2C.4040201@FreeBSD.org> <4D9D6951.1020706@eng.auth.gr> <4D9D6D64.4070307@FreeBSD.org> In-Reply-To: <4D9D6D64.4070307@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: apache@FreeBSD.org Subject: Re: [SPF:fail] Re: [SPF:fail] Re: mod_auth_kerb2 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 13:30:41 -0000 On 07/04/2011 10:53, Olli Hauer wrote: > On 2011-04-07 09:35, George Mamalakis wrote: >> On 07/04/2011 00:46, Olli Hauer wrote: >>> On 2011-04-06 14:48, George Mamalakis wrote: >>>> Dear Sir/Madam, >>>> >>>> I've tried to build mod_auth_kerb2 with apache-2.2.17_1 on a FreeBSD-8.2-STABLE >>>> system. After I gave make install and tried to restart apache, I received the >>>> following message: >>>> >>>> # /usr/local/etc/rc.d/apache22 start >>>> Performing sanity check on apache22 configuration: >>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot >>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>> "gsskrb5_register_acceptor_identity" >>>> Starting apache22. >>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot >>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>> "gsskrb5_register_acceptor_identity" >>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 >>>> >>>> ldd showed: >>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so >>>> /usr/local/libexec/apache22/mod_auth_kerb.so: >>>> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) >>>> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) >>>> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) >>>> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) >>>> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) >>>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) >>>> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) >>>> libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) >>>> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) >>>> libc.so.7 => /lib/libc.so.7 (0x800647000) >>>> >>>> >>>> So, even though the configuration seemed to be just fine, the installation was >>>> not functional. We changed >>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile 3rd line to read: >>>> >>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 >>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt >>>> >>>> which means that we added gssapi_krb5 among the linker flags. Then we installed >>>> it and now it works fine. >>>> >>>> Please verify that this is a problem regarding the port, otherwise I should post >>>> this mail to the freebsd-stable list. >>>> >>>> Thank you for your time in advance, >>>> >>>> Regards, >>> >>> I can confirm the issue, it's the /usr/bin/krb5-config script. >>> Heimdal was update from 0.6.3 to 1.1.0 and I guess this is a merge issue. >>> >>> The following patch correct the issue on FreeBSD-8.2. >>> >>> >>> --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 >>> +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 >>> @@ -93,7 +93,7 @@ >>> lib_flags="-L${libdir}" >>> case $library in >>> gssapi) >>> - lib_flags="$lib_flags -lgssapi -lheimntlm" >>> + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" >>> ;; >>> kadm-client) >>> lib_flags="$lib_flags -lkadm5clnt" >>> >>> >>> Can you open a PR for this? >>> >>> -- >>> Regards, >>> olli >> Oli thank you, >> >> Yes, I will open a PR. I have also confirmed that the heimdal-1.4 from ports >> does exactly the same thing. >> >> Thanks again for your reply. >> > Hi George, > > I also looked at the heimdal sources and ask the heimdal support if this flag is > missing. > I guess this issue exists only on FreeBSD > > > Question to heimdal support: >>> I suspect there is a bug in krb5-config since version 1.1 or earlier, >>> `krb5-config -libs' does not include '-lgssapi_krb5' >>> >>> Found this issue with mod_auth_kerb2, the module builds but cannot be loaded. >>> There are also other reports for broken cyrus-sassl ... >>> I even cannot found this entry in heimdal-1.5pre1 > Answer from heimdal support: >> Heimdal installs the gssapi framework as libgssapi, that includes the krb5 mech, heimdal have no libgssapi_krb5 >> > > If I build heimdal direct from the heimdal-1.1 source, then indeed there is no > libgssapi_krb5. > > > -- > Regards, > olli > Oli, I am not sure I got you. If you build heimdal directly from source, it does not create a libgssapi_krb5.so.10 object? Then where are the relative functions defined? In some other shared object? And if so, then why does FreeBSD implementation work this way, if it brakes heimdal? And, finally, how can everything work once we change /usr/bin/krb5-config (This is the second time I had these issues with heimdal, the first time was with cyrus-sasl and spnego support, where I had to change the same line of /usr/bin/krb5-config to include -lgssapi_spnego. After that it would work. Then, FreeBSD changed heimdal to work without this tweak.)? I don't know Oli, I am not sure I follow. I just hope it will be resolved soon. Can you think of any other way to settle down this thing? I've sent the PR you proposed, and I included the patch you gave me, but this might not be the real solution... Thank you anyway, and I hope that things will be fixed. Regards, mamalos -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379