Date: Fri, 19 Oct 2012 10:19:57 +1100 From: John Marshall <john.marshall@riverwillow.com.au> To: George Mamalakis <mamalos@eng.auth.gr> Cc: stable@freebsd.org Subject: Re: mod_auth_kerb2 broken in 8-STABLE? Or is it heimdal to blame? Message-ID: <50808E9D.4010601@riverwillow.com.au> In-Reply-To: <5069BFE4.9040500@eng.auth.gr> References: <4D9C86E8.3090402@eng.auth.gr> <4D9D9B22.2020701@eng.auth.gr> <5069BFE4.9040500@eng.auth.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB8FFB965534062729F2267BC Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 02/10/2012 02:08, George Mamalakis wrote: > On 04/07/11 14:08, George Mamalakis wrote: >> On 06/04/2011 18:29, George Mamalakis wrote: >>> Dear all, >>> >>> I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried >>> to use it. After the installation (which was successful(?!?)), the >>> server refused to start giving the error: >>> >>> # /usr/local/etc/rc.d/apache22 start >>> Performing sanity check on apache22 configuration: >>> httpd: Syntax error on line 103 of >>> /usr/local/etc/apache22/httpd.conf: Cannot load >>> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>> "gsskrb5_register_acceptor_identity" >>> Starting apache22. >>> httpd: Syntax error on line 103 of >>> /usr/local/etc/apache22/httpd.conf: Cannot load >>> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>> "gsskrb5_register_acceptor_identity" >>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 >>> >>> but ldd showed: >>> >>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so >>> /usr/local/libexec/apache22/mod_auth_kerb.so: >>> libgssapi.so.10 =3D> /usr/lib/libgssapi.so.10 (0x800c00000) >>> libheimntlm.so.10 =3D> /usr/lib/libheimntlm.so.10 (0x800d0a000) >>> libkrb5.so.10 =3D> /usr/lib/libkrb5.so.10 (0x800e0f000) >>> libhx509.so.10 =3D> /usr/lib/libhx509.so.10 (0x800f7e000) >>> libcom_err.so.5 =3D> /usr/lib/libcom_err.so.5 (0x8010be000) >>> libcrypto.so.6 =3D> /lib/libcrypto.so.6 (0x8011c0000) >>> libasn1.so.10 =3D> /usr/lib/libasn1.so.10 (0x801461000) >>> libroken.so.10 =3D> /usr/lib/libroken.so.10 (0x8015e3000) >>> libcrypt.so.5 =3D> /lib/libcrypt.so.5 (0x8016f5000) >>> libc.so.7 =3D> /lib/libc.so.7 (0x800647000) >>> >>> which showed that everything should have been fine. I googled it a >>> bit and found this thread regarding my error message: >>> http://forum.nginx.org/read.php?23,88476 , which started on May 2010,= >>> and pointed to this PR: >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D147454 , which started o= n >>> June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD,= >>> and that it should be fixed at some moment in the future. (I tested >>> mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) >>> and I had exactly the same problem). >>> >>> I searched to find where this notorious function >>> (gsskrb5_register_acceptor_identity) was located, and I found its >>> declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition= >>> in: /usr/lib/libgssapi_krb5.so. >>> >>> So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of >>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since= >>> this where the location of gsskrb5_register_acceptor_identity >>> originally seemed to be, and reinstalled the port using gmake this >>> time (inside the port's work directory). After that, the module works= >>> just fine. The initial content of this line was: >>> >>> KRB5_LDFLAGS =3D -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 >>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt >>> >>> I've sent an analogous email to the port maintainer, but I am not >>> sure if it is their "fault". Hence, I decided to send this email to >>> the stable list for two reasons: First, someone else may be having a >>> similar problem and wants to find a rough solution. Secondly, there >>> are people reading this list that know heimdal's code, so somebody >>> may know another (much more elegant) way to fix this bug. >>> >>> Thank you all for your time in advance, >>> >>> Regards, >>> >>> mamalos. >>> >> >> OK, >> >> I spoke with the maintainer who confirmed the problem. He also >> suggested to change line 96 of /usb/bin/krb5-config to include >> gssapi_krb5 among its libraries. He also gave me the relevant patch, >> and asked me to send a PR to FreeBSD. The patch is as follows: >> >> --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 >> +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 >> @@ -93,7 +93,7 @@ >> lib_flags=3D"-L${libdir}" >> case $library in >> gssapi) >> - lib_flags=3D"$lib_flags -lgssapi -lheimntlm" >> + lib_flags=3D"$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" >> ;; >> kadm-client) >> lib_flags=3D"$lib_flags -lkadm5clnt" >> >> >> >> And the relevant PR is: >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=3D156245 >> >> Thank you all for your time, >> >> mamalos >> > Hi all, >=20 > I am bringing this matter back again because the same things hold for m= y > current system too (/usr/bin/krb5-config does not seem to link > gssapi-things properly): >=20 > # uname -a > FreeBSD example.com 9.0-STABLE FreeBSD 9.0-STABLE #0: Mon Jun 18 > 21:04:14 EEST 2012 root@example.com:/usr/obj/usr/src/sys/FILESRV amd64= > # pkg_info -Ix apache kerb > ap22-mod_auth_kerb-5.4_3 An Apache module for authenticating users with= > Kerberos v5 > apache22-2.2.22_8 Version 2.2.x of Apache web server with prefork MPM= =2E >=20 > Should I send a PR or is there something that I've done wrong? I've seen the same thing on 8.3-RELEASE, 9.1-RC1 and 9.1-RC2. In all cases, applying your patch (thank you!) to /usr/bin/krb5-config resolved the issue. I did not need to patch krb5-config for other GSSAPI servers to work (dovecot and sendmail) but they are obviously satisified with -lgssapi and don't need routines supplied via -lgssapi_krb5. Thus far, www/mod_auth_kerb2 is the only port I've used which appears to need gssapi_krb5. I think this is purely a FreeBSD Heimdal config issue. --=20 John Marshall --------------enigB8FFB965534062729F2267BC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlCAjqcACgkQw/tAaKKahKL0fACgmSOlKpZ4FXgi9xiWzJzQOvrO t3AAoJT/Csh3GKh/GMIL/ARHlVqXwT6Z =A+sF -----END PGP SIGNATURE----- --------------enigB8FFB965534062729F2267BC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50808E9D.4010601>