Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Sep 2009 14:51:31 +0300
From:      George Mamalakis <mamalos@eng.auth.gr>
To:        Rick Macklem <rmacklem@uoguelph.ca>, George Mamalakis <mamalos@eng.auth.gr>, freebsd-current@freebsd.org, freebsd-stable <freebsd-stable@freebsd.org>
Subject:   Re: SASL problems with spnego on 8.0-BETA4
Message-ID:  <4AB768C3.6030003@eng.auth.gr>
In-Reply-To: <20090921012855.GA1001@rwpc12.mby.riverwillow.net.au>
References:  <4AB27FB6.4010806@eng.auth.gr>	<20090918034933.GI1231@rwpc12.mby.riverwillow.net.au>	<Pine.GSO.4.63.0909181722270.23193@muncher.cs.uoguelph.ca>	<20090918233157.GK1231@rwpc12.mby.riverwillow.net.au> <20090921012855.GA1001@rwpc12.mby.riverwillow.net.au>

next in thread | previous in thread | raw e-mail | index | archive | help
John Marshall wrote:
> On Sat, 19 Sep 2009, 09:31 +1000, John Marshall wrote:
>   
>> On Fri, 18 Sep 2009, 17:38 -0400, Rick Macklem wrote:
>>     
>>> When cyrus-sasl2 builds, it uses the little shell script
>>> /usr/bin/krb5-config with the args. "--libs gssapi" to get the list of
>>> libraries to link against. This doesn't return "-lgssapi_spnego" in the
>>> list. (The list can be changed by editting line #96 of 
>>> /usr/bin/krb5-config.)
>>>       
>> I think this sounds promising!  It makes sense.  Thanks for pointing us
>> in this direction.
>>     
>
> This morning, on my 8.0-RC1 system, I did the following to confirm that
> GSSAPI authentication to the LDAP server via SASL2 using the base
> Heimdal was still broken:
>
>  - removed the heimdal-1.2.1 port
>  - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
>  - started the openldap-sasl-server-2.4.18_1
>  - queried the LDAP server from a separate client using ldapsearch:
>      --------
>      SASL/GSSAPI authentication started
>      ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>      --------
>  - and noted that the ldap server died at that point.
>
> I edited line 96 of /usr/bin/krb5-config to include -lgssapi_krb5 in the
> libraries list:
>
>         lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
>
> and then did the following:
>
>  - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
>  - started the openldap-sasl-server-2.4.18_1
>  - queried the LDAP server from a separate client using ldapsearch
>      --------
>      SASL/GSSAPI authentication started
>      SASL username: john@EXAMPLE.COM
>      SASL SSF: 56
>      SASL data security layer installed.
>      # extended LDIF
>      #
>      # LDAPv3
>      --------
>
> SUCCESS!
>
> So, this fix obviates THAT reason for installing the Heimdal port.  If
> George meets with similar success adding -lgssapi_spnego for his spnego
> problem, I suggest that both libraries be added to the list in line 96
> of /usr/bin/krb5-config prior to release of FreeBSD 8.0.
>
> It doesn't look like this fix is as simple as submitting a patch to
> krb5-config.  It looks like magic needs to happen somewhere in the base
> kerberos build system.
>
> I notice that the Heimdal port doesn't build the separate libraries and
> everything seems to be included in libgssapi (which explains why sasl2
> "works" when linked against the Heimdal port).
>
>   
Guys,

I changed my /usr/bin/krb5-config's line 96 to include -lgssapi_spnego 
and -lgssapi_krb5, and ever since both client and server work 
correctly!! Of course I get some other error, but at least this must be 
a configuration error :).

So, to sum up:

Still running on fbsd.8-BETA4, changed krb5-config to include the 
missing libraries, recompiled cyrus-sasl-2.1.23 after I changed the 
krb5-config, restarted openldap-sasl-server-2.4.18_1 and after 
performing an ldapsearch, the client does not complain (and exits) about 
missing libraries, NOR does the server crash on sasl authentication.

Great job guys, thank you all very very much for your help! I posted my 
query on the 17th of Sep. and in four days (weekend inclusive!) someone 
came up with an answer that resolves my issue! Great job, once more, and 
thank you all again!

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB768C3.6030003>