From owner-freebsd-stable@FreeBSD.ORG  Wed Apr  6 15:29:47 2011
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2E0AD106564A
	for <stable@freebsd.org>; Wed,  6 Apr 2011 15:29:47 +0000 (UTC)
	(envelope-from mamalos@eng.auth.gr)
Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1])
	by mx1.freebsd.org (Postfix) with ESMTP id 9B3088FC19
	for <stable@freebsd.org>; Wed,  6 Apr 2011 15:29:46 +0000 (UTC)
Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr
	[155.207.33.29])
	by vergina.eng.auth.gr (8.14.3/8.14.3) with ESMTP id p36FTitR057082
	for <stable@freebsd.org>; Wed, 6 Apr 2011 18:29:44 +0300 (EEST)
	(envelope-from mamalos@eng.auth.gr)
Message-ID: <4D9C86E8.3090402@eng.auth.gr>
Date: Wed, 06 Apr 2011 18:29:44 +0300
From: George Mamalakis <mamalos@eng.auth.gr>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US;
	rv:1.9.2.13) Gecko/20110109 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: stable@freebsd.org
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: 
Subject: mod_auth_kerb2 broken in 8-STABLE? Or is it heimdal to blame?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 15:29:47 -0000

Dear all,

I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried to 
use it. After the installation (which was successful(?!?)), the server 
refused to start giving the error:

# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: 
Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: 
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol 
"gsskrb5_register_acceptor_identity"
Starting apache22.
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: 
Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: 
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol 
"gsskrb5_register_acceptor_identity"
/usr/local/etc/rc.d/apache22: WARNING: failed to start apache22

but ldd showed:

# ldd /usr/local/libexec/apache22/mod_auth_kerb.so
/usr/local/libexec/apache22/mod_auth_kerb.so:
     libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000)
     libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000)
     libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000)
     libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000)
     libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000)
     libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000)
     libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000)
     libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000)
     libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000)
     libc.so.7 => /lib/libc.so.7 (0x800647000)

which showed that everything should have been fine. I googled it a bit 
and found this thread regarding my error message: 
http://forum.nginx.org/read.php?23,88476 , which started on May 2010, 
and pointed to this PR: 
http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on 
June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, 
and that it should be fixed at some moment in the future. (I tested 
mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) and 
I had exactly the same problem).

I searched to find where this notorious function 
(gsskrb5_register_acceptor_identity) was located, and I found its 
declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition 
in: /usr/lib/libgssapi_krb5.so.

So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of 
/usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since 
this where the location of gsskrb5_register_acceptor_identity originally 
seemed to be, and reinstalled the port using gmake this time (inside the 
port's work directory). After that, the module works just fine. The 
initial content of this line was:

KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err 
-lcrypto -lasn1 -lroken -lcrypt

I've sent an analogous email to the port maintainer, but I am not sure 
if it is their "fault". Hence, I decided to send this email to the 
stable list for two reasons: First, someone else may be having a similar 
problem and wants to find a rough solution. Secondly, there are people 
reading this list that know heimdal's code, so somebody may know another 
(much more elegant) way to fix this bug.

Thank you all for your time in advance,

Regards,

mamalos.

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379