From owner-freebsd-stable@FreeBSD.ORG Mon Oct 1 16:36:21 2012 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 293211065670 for ; Mon, 1 Oct 2012 16:36:21 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id 5352B8FC08 for ; Mon, 1 Oct 2012 16:36:19 +0000 (UTC) Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr [155.207.33.29]) (authenticated bits=0) by vergina.eng.auth.gr (8.14.4/8.14.3) with ESMTP id q91G847U052693 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 1 Oct 2012 19:08:04 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <5069BFE4.9040500@eng.auth.gr> Date: Mon, 01 Oct 2012 19:08:04 +0300 From: George Mamalakis User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120910 Thunderbird/15.0.1 MIME-Version: 1.0 To: stable@freebsd.org References: <4D9C86E8.3090402@eng.auth.gr> <4D9D9B22.2020701@eng.auth.gr> In-Reply-To: <4D9D9B22.2020701@eng.auth.gr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (vergina.eng.auth.gr [192.168.18.7]); Mon, 01 Oct 2012 19:08:04 +0300 (EEST) Cc: Subject: Re: mod_auth_kerb2 broken in 8-STABLE? Or is it heimdal to blame? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2012 16:36:21 -0000 On 04/07/11 14:08, George Mamalakis wrote: > On 06/04/2011 18:29, George Mamalakis wrote: >> Dear all, >> >> I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried >> to use it. After the installation (which was successful(?!?)), the >> server refused to start giving the error: >> >> # /usr/local/etc/rc.d/apache22 start >> Performing sanity check on apache22 configuration: >> httpd: Syntax error on line 103 of >> /usr/local/etc/apache22/httpd.conf: Cannot load >> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >> "gsskrb5_register_acceptor_identity" >> Starting apache22. >> httpd: Syntax error on line 103 of >> /usr/local/etc/apache22/httpd.conf: Cannot load >> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >> "gsskrb5_register_acceptor_identity" >> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 >> >> but ldd showed: >> >> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so >> /usr/local/libexec/apache22/mod_auth_kerb.so: >> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) >> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) >> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) >> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) >> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) >> libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) >> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) >> libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) >> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) >> libc.so.7 => /lib/libc.so.7 (0x800647000) >> >> which showed that everything should have been fine. I googled it a >> bit and found this thread regarding my error message: >> http://forum.nginx.org/read.php?23,88476 , which started on May 2010, >> and pointed to this PR: >> http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on >> June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, >> and that it should be fixed at some moment in the future. (I tested >> mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) >> and I had exactly the same problem). >> >> I searched to find where this notorious function >> (gsskrb5_register_acceptor_identity) was located, and I found its >> declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition >> in: /usr/lib/libgssapi_krb5.so. >> >> So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of >> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since >> this where the location of gsskrb5_register_acceptor_identity >> originally seemed to be, and reinstalled the port using gmake this >> time (inside the port's work directory). After that, the module works >> just fine. The initial content of this line was: >> >> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 >> -lcom_err -lcrypto -lasn1 -lroken -lcrypt >> >> I've sent an analogous email to the port maintainer, but I am not >> sure if it is their "fault". Hence, I decided to send this email to >> the stable list for two reasons: First, someone else may be having a >> similar problem and wants to find a rough solution. Secondly, there >> are people reading this list that know heimdal's code, so somebody >> may know another (much more elegant) way to fix this bug. >> >> Thank you all for your time in advance, >> >> Regards, >> >> mamalos. >> > > OK, > > I spoke with the maintainer who confirmed the problem. He also > suggested to change line 96 of /usb/bin/krb5-config to include > gssapi_krb5 among its libraries. He also gave me the relevant patch, > and asked me to send a PR to FreeBSD. The patch is as follows: > > --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 > +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 > @@ -93,7 +93,7 @@ > lib_flags="-L${libdir}" > case $library in > gssapi) > - lib_flags="$lib_flags -lgssapi -lheimntlm" > + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" > ;; > kadm-client) > lib_flags="$lib_flags -lkadm5clnt" > > > > And the relevant PR is: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=156245 > > Thank you all for your time, > > mamalos > Hi all, I am bringing this matter back again because the same things hold for my current system too (/usr/bin/krb5-config does not seem to link gssapi-things properly): # uname -a FreeBSD example.com 9.0-STABLE FreeBSD 9.0-STABLE #0: Mon Jun 18 21:04:14 EEST 2012 root@example.com:/usr/obj/usr/src/sys/FILESRV amd64 # pkg_info -Ix apache kerb ap22-mod_auth_kerb-5.4_3 An Apache module for authenticating users with Kerberos v5 apache22-2.2.22_8 Version 2.2.x of Apache web server with prefork MPM. Should I send a PR or is there something that I've done wrong? Thanx all in advance. -- George Mamalakis IT and Security Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379