From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Oct 6 01:40:20 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B3CD16A41F for ; Thu, 6 Oct 2005 01:40:20 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D42E43D46 for ; Thu, 6 Oct 2005 01:40:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j961eIQa077294 for ; Thu, 6 Oct 2005 01:40:18 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j961eIZR077293; Thu, 6 Oct 2005 01:40:18 GMT (envelope-from gnats) Resent-Date: Thu, 6 Oct 2005 01:40:18 GMT Resent-Message-Id: <200510060140.j961eIZR077293@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Brian Fundakowski Feldman Received: from green.homeunix.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B7C9716A41F for ; Thu, 6 Oct 2005 01:31:12 +0000 (GMT) (envelope-from green@green.homeunix.org) Received: from green.homeunix.org (green@localhost [127.0.0.1]) by green.homeunix.org (8.13.4/8.13.1) with ESMTP id j961UYmf024765 for ; Wed, 5 Oct 2005 21:30:34 -0400 (EDT) (envelope-from green@green.homeunix.org) Received: (from green@localhost) by green.homeunix.org (8.13.4/8.13.1/Submit) id j961UYRI024764; Wed, 5 Oct 2005 21:30:34 -0400 (EDT) (envelope-from green) Message-Id: <200510060130.j961UYRI024764@green.homeunix.org> Date: Wed, 5 Oct 2005 21:30:34 -0400 (EDT) From: Brian Fundakowski Feldman To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/86963: mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2005 01:40:20 -0000 >Number: 86963 >Category: ports >Synopsis: mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Oct 06 01:40:18 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Brian Fundakowski Feldman >Release: FreeBSD 6.0-BETA4 i386 >Organization: FreeBSD >Environment: System: FreeBSD green.homeunix.org 6.0-BETA4 FreeBSD 6.0-BETA4 #0: Fri Sep 9 07:16:21 EDT 2005 green@green.homeunix.org:/usr/obj/usr/src/sys/GREEN i386 >Description: The port defaults to installing into ${LOCALBASE} MIT Kerberos in spite of presence of Heimdal in the base system. In spite of this, however, Heimdal support does not work. >How-To-Repeat: make KRB5_HOME=/usr install, then attempt SPNEGO authentication (not krb5 password gatewaying, which the pam_krb5 module could do perfectly well anyway) with a keytab not /etc/krb5.keytab (specified by Krb5Keytab in the httpd.conf). The directive appears to be ignored, as an error referring to "FILE:/etc/krb5.keytab" is returned upon attempting the authentication using Mozilla. >Fix: Heimdal has an existing API for performing the function that this plugin is attempting (that is, changing the location of the keytab to allow for least privilege for the service). Using it thusly makes things work for me: --- src/mod_auth_kerb.c.orig Tue Aug 10 08:01:01 2004 +++ src/mod_auth_kerb.c Wed Oct 5 20:25:38 2005 @@ -1108,6 +1108,7 @@ spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02"; if (conf->krb_5_keytab) { +#ifndef HEIMDAL char *ktname; /* we don't use the ap_* calls here, since the string passed to putenv() * will become part of the enviroment and shouldn't be free()ed by apache @@ -1120,6 +1121,14 @@ } sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab); putenv(ktname); +#else + ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno)); + ret = HTTP_INTERNAL_SERVER_ERROR; + goto end; + } +#endif } ret = get_gss_creds(r, conf, &server_creds); I plan to send this PR over to the mod_auth_kerb guys in order to get it into the standard distribution. A smaller issue is the inaccurate description in the port. It makes no mention of SPNEGO ("HTTP Negotiate"/GSSAPI/Kerberos 5 authentication), and refers to a www/@ principal whereas the canonical principal, and the default, is actually HTTP/@. I could attempt a rewrite of this... >Release-Note: >Audit-Trail: >Unformatted: