From owner-freebsd-current@FreeBSD.ORG Mon Sep 21 11:51:42 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E4931065670; Mon, 21 Sep 2009 11:51:42 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id 8FF158FC0C; Mon, 21 Sep 2009 11:51:41 +0000 (UTC) Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr [155.207.33.29]) by vergina.eng.auth.gr (8.14.3/8.14.1) with ESMTP id n8LBpa0n098754; Mon, 21 Sep 2009 14:51:36 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <4AB768C3.6030003@eng.auth.gr> Date: Mon, 21 Sep 2009 14:51:31 +0300 From: George Mamalakis User-Agent: Thunderbird 2.0.0.19 (X11/20090226) MIME-Version: 1.0 To: Rick Macklem , George Mamalakis , freebsd-current@freebsd.org, freebsd-stable References: <4AB27FB6.4010806@eng.auth.gr> <20090918034933.GI1231@rwpc12.mby.riverwillow.net.au> <20090918233157.GK1231@rwpc12.mby.riverwillow.net.au> <20090921012855.GA1001@rwpc12.mby.riverwillow.net.au> In-Reply-To: <20090921012855.GA1001@rwpc12.mby.riverwillow.net.au> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 21 Sep 2009 11:53:48 +0000 Cc: Subject: Re: SASL problems with spnego on 8.0-BETA4 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2009 11:51:42 -0000 John Marshall wrote: > On Sat, 19 Sep 2009, 09:31 +1000, John Marshall wrote: > >> On Fri, 18 Sep 2009, 17:38 -0400, Rick Macklem wrote: >> >>> When cyrus-sasl2 builds, it uses the little shell script >>> /usr/bin/krb5-config with the args. "--libs gssapi" to get the list of >>> libraries to link against. This doesn't return "-lgssapi_spnego" in the >>> list. (The list can be changed by editting line #96 of >>> /usr/bin/krb5-config.) >>> >> I think this sounds promising! It makes sense. Thanks for pointing us >> in this direction. >> > > This morning, on my 8.0-RC1 system, I did the following to confirm that > GSSAPI authentication to the LDAP server via SASL2 using the base > Heimdal was still broken: > > - removed the heimdal-1.2.1 port > - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal) > - started the openldap-sasl-server-2.4.18_1 > - queried the LDAP server from a separate client using ldapsearch: > -------- > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) > -------- > - and noted that the ldap server died at that point. > > I edited line 96 of /usr/bin/krb5-config to include -lgssapi_krb5 in the > libraries list: > > lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" > > and then did the following: > > - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal) > - started the openldap-sasl-server-2.4.18_1 > - queried the LDAP server from a separate client using ldapsearch > -------- > SASL/GSSAPI authentication started > SASL username: john@EXAMPLE.COM > SASL SSF: 56 > SASL data security layer installed. > # extended LDIF > # > # LDAPv3 > -------- > > SUCCESS! > > So, this fix obviates THAT reason for installing the Heimdal port. If > George meets with similar success adding -lgssapi_spnego for his spnego > problem, I suggest that both libraries be added to the list in line 96 > of /usr/bin/krb5-config prior to release of FreeBSD 8.0. > > It doesn't look like this fix is as simple as submitting a patch to > krb5-config. It looks like magic needs to happen somewhere in the base > kerberos build system. > > I notice that the Heimdal port doesn't build the separate libraries and > everything seems to be included in libgssapi (which explains why sasl2 > "works" when linked against the Heimdal port). > > Guys, I changed my /usr/bin/krb5-config's line 96 to include -lgssapi_spnego and -lgssapi_krb5, and ever since both client and server work correctly!! Of course I get some other error, but at least this must be a configuration error :). So, to sum up: Still running on fbsd.8-BETA4, changed krb5-config to include the missing libraries, recompiled cyrus-sasl-2.1.23 after I changed the krb5-config, restarted openldap-sasl-server-2.4.18_1 and after performing an ldapsearch, the client does not complain (and exits) about missing libraries, NOR does the server crash on sasl authentication. Great job guys, thank you all very very much for your help! I posted my query on the 17th of Sep. and in four days (weekend inclusive!) someone came up with an answer that resolves my issue! Great job, once more, and thank you all again! -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379