Date: Fri, 19 Oct 2012 11:38:50 +0300 From: George Mamalakis <mamalos@eng.auth.gr> To: John Marshall <john.marshall@riverwillow.com.au> Cc: stable@freebsd.org Subject: Re: mod_auth_kerb2 broken in 8-STABLE? Or is it heimdal to blame? Message-ID: <5081119A.9080107@eng.auth.gr> In-Reply-To: <50808E9D.4010601@riverwillow.com.au> References: <4D9C86E8.3090402@eng.auth.gr> <4D9D9B22.2020701@eng.auth.gr> <5069BFE4.9040500@eng.auth.gr> <50808E9D.4010601@riverwillow.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 19/10/2012 02:19 πμ, John Marshall wrote: > On 02/10/2012 02:08, George Mamalakis wrote: >> On 04/07/11 14:08, George Mamalakis wrote: >>> On 06/04/2011 18:29, George Mamalakis wrote: >>>> Dear all, >>>> >>>> I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried >>>> to use it. After the installation (which was successful(?!?)), the >>>> server refused to start giving the error: >>>> >>>> # /usr/local/etc/rc.d/apache22 start >>>> Performing sanity check on apache22 configuration: >>>> httpd: Syntax error on line 103 of >>>> /usr/local/etc/apache22/httpd.conf: Cannot load >>>> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>> "gsskrb5_register_acceptor_identity" >>>> Starting apache22. >>>> httpd: Syntax error on line 103 of >>>> /usr/local/etc/apache22/httpd.conf: Cannot load >>>> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>> "gsskrb5_register_acceptor_identity" >>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 >>>> >>>> but ldd showed: >>>> >>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so >>>> /usr/local/libexec/apache22/mod_auth_kerb.so: >>>> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) >>>> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) >>>> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) >>>> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) >>>> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) >>>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) >>>> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) >>>> libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) >>>> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) >>>> libc.so.7 => /lib/libc.so.7 (0x800647000) >>>> >>>> which showed that everything should have been fine. I googled it a >>>> bit and found this thread regarding my error message: >>>> http://forum.nginx.org/read.php?23,88476 , which started on May 2010, >>>> and pointed to this PR: >>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on >>>> June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, >>>> and that it should be fixed at some moment in the future. (I tested >>>> mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) >>>> and I had exactly the same problem). >>>> >>>> I searched to find where this notorious function >>>> (gsskrb5_register_acceptor_identity) was located, and I found its >>>> declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition >>>> in: /usr/lib/libgssapi_krb5.so. >>>> >>>> So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of >>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since >>>> this where the location of gsskrb5_register_acceptor_identity >>>> originally seemed to be, and reinstalled the port using gmake this >>>> time (inside the port's work directory). After that, the module works >>>> just fine. The initial content of this line was: >>>> >>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 >>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt >>>> >>>> I've sent an analogous email to the port maintainer, but I am not >>>> sure if it is their "fault". Hence, I decided to send this email to >>>> the stable list for two reasons: First, someone else may be having a >>>> similar problem and wants to find a rough solution. Secondly, there >>>> are people reading this list that know heimdal's code, so somebody >>>> may know another (much more elegant) way to fix this bug. >>>> >>>> Thank you all for your time in advance, >>>> >>>> Regards, >>>> >>>> mamalos. >>>> >>> OK, >>> >>> I spoke with the maintainer who confirmed the problem. He also >>> suggested to change line 96 of /usb/bin/krb5-config to include >>> gssapi_krb5 among its libraries. He also gave me the relevant patch, >>> and asked me to send a PR to FreeBSD. The patch is as follows: >>> >>> --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 >>> +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 >>> @@ -93,7 +93,7 @@ >>> lib_flags="-L${libdir}" >>> case $library in >>> gssapi) >>> - lib_flags="$lib_flags -lgssapi -lheimntlm" >>> + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" >>> ;; >>> kadm-client) >>> lib_flags="$lib_flags -lkadm5clnt" >>> >>> >>> >>> And the relevant PR is: >>> >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=156245 >>> >>> Thank you all for your time, >>> >>> mamalos >>> >> Hi all, >> >> I am bringing this matter back again because the same things hold for my >> current system too (/usr/bin/krb5-config does not seem to link >> gssapi-things properly): >> >> # uname -a >> FreeBSD example.com 9.0-STABLE FreeBSD 9.0-STABLE #0: Mon Jun 18 >> 21:04:14 EEST 2012 root@example.com:/usr/obj/usr/src/sys/FILESRV amd64 >> # pkg_info -Ix apache kerb >> ap22-mod_auth_kerb-5.4_3 An Apache module for authenticating users with >> Kerberos v5 >> apache22-2.2.22_8 Version 2.2.x of Apache web server with prefork MPM. >> >> Should I send a PR or is there something that I've done wrong? > I've seen the same thing on 8.3-RELEASE, 9.1-RC1 and 9.1-RC2. In all > cases, applying your patch (thank you!) to /usr/bin/krb5-config resolved > the issue. I did not need to patch krb5-config for other GSSAPI servers > to work (dovecot and sendmail) but they are obviously satisified with > -lgssapi and don't need routines supplied via -lgssapi_krb5. Thus far, > www/mod_auth_kerb2 is the only port I've used which appears to need > gssapi_krb5. > > I think this is purely a FreeBSD Heimdal config issue. > John, thank you for your confirmation on this. I really don't understand why FreeBSD hasn't resolved this issue since 7 Apr 2011 when I first filed this PR. Hope they'll do it this time (I sent a follow-up to my previous PR). George.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5081119A.9080107>