Date: Thu, 07 Apr 2011 16:30:33 +0300 From: George Mamalakis <mamalos@eng.auth.gr> To: ohauer@FreeBSD.org Cc: apache@FreeBSD.org Subject: Re: [SPF:fail] Re: [SPF:fail] Re: mod_auth_kerb2 Message-ID: <4D9DBC79.1080000@eng.auth.gr> In-Reply-To: <4D9D6D64.4070307@FreeBSD.org> References: <4D9C6135.7030501@eng.auth.gr> <4D9CDF2C.4040201@FreeBSD.org> <4D9D6951.1020706@eng.auth.gr> <4D9D6D64.4070307@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 07/04/2011 10:53, Olli Hauer wrote:
> On 2011-04-07 09:35, George Mamalakis wrote:
>> On 07/04/2011 00:46, Olli Hauer wrote:
>>> On 2011-04-06 14:48, George Mamalakis wrote:
>>>> Dear Sir/Madam,
>>>>
>>>> I've tried to build mod_auth_kerb2 with apache-2.2.17_1 on a FreeBSD-8.2-STABLE
>>>> system. After I gave make install and tried to restart apache, I received the
>>>> following message:
>>>>
>>>> # /usr/local/etc/rc.d/apache22 start
>>>> Performing sanity check on apache22 configuration:
>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>>> "gsskrb5_register_acceptor_identity"
>>>> Starting apache22.
>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>>> "gsskrb5_register_acceptor_identity"
>>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
>>>>
>>>> ldd showed:
>>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so
>>>> /usr/local/libexec/apache22/mod_auth_kerb.so:
>>>> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000)
>>>> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000)
>>>> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000)
>>>> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000)
>>>> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000)
>>>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000)
>>>> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000)
>>>> libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000)
>>>> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000)
>>>> libc.so.7 => /lib/libc.so.7 (0x800647000)
>>>>
>>>>
>>>> So, even though the configuration seemed to be just fine, the installation was
>>>> not functional. We changed
>>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile 3rd line to read:
>>>>
>>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509
>>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt
>>>>
>>>> which means that we added gssapi_krb5 among the linker flags. Then we installed
>>>> it and now it works fine.
>>>>
>>>> Please verify that this is a problem regarding the port, otherwise I should post
>>>> this mail to the freebsd-stable list.
>>>>
>>>> Thank you for your time in advance,
>>>>
>>>> Regards,
>>>
>>> I can confirm the issue, it's the /usr/bin/krb5-config script.
>>> Heimdal was update from 0.6.3 to 1.1.0 and I guess this is a merge issue.
>>>
>>> The following patch correct the issue on FreeBSD-8.2.
>>>
>>>
>>> --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100
>>> +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200
>>> @@ -93,7 +93,7 @@
>>> lib_flags="-L${libdir}"
>>> case $library in
>>> gssapi)
>>> - lib_flags="$lib_flags -lgssapi -lheimntlm"
>>> + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
>>> ;;
>>> kadm-client)
>>> lib_flags="$lib_flags -lkadm5clnt"
>>>
>>>
>>> Can you open a PR for this?
>>>
>>> --
>>> Regards,
>>> olli
>> Oli thank you,
>>
>> Yes, I will open a PR. I have also confirmed that the heimdal-1.4 from ports
>> does exactly the same thing.
>>
>> Thanks again for your reply.
>>
> Hi George,
>
> I also looked at the heimdal sources and ask the heimdal support if this flag is
> missing.
> I guess this issue exists only on FreeBSD
>
>
> Question to heimdal support:
>>> I suspect there is a bug in krb5-config since version 1.1 or earlier,
>>> `krb5-config -libs' does not include '-lgssapi_krb5'
>>>
>>> Found this issue with mod_auth_kerb2, the module builds but cannot be loaded.
>>> There are also other reports for broken cyrus-sassl ...
>>> I even cannot found this entry in heimdal-1.5pre1
> Answer from heimdal support:
>> Heimdal installs the gssapi framework as libgssapi, that includes the krb5 mech, heimdal have no libgssapi_krb5
>>
>
> If I build heimdal direct from the heimdal-1.1 source, then indeed there is no
> libgssapi_krb5.
>
>
> --
> Regards,
> olli
>
Oli,
I am not sure I got you. If you build heimdal directly from source, it
does not create a libgssapi_krb5.so.10 object? Then where are the
relative functions defined? In some other shared object? And if so, then
why does FreeBSD implementation work this way, if it brakes heimdal?
And, finally, how can everything work once we change
/usr/bin/krb5-config (This is the second time I had these issues with
heimdal, the first time was with cyrus-sasl and spnego support, where I
had to change the same line of /usr/bin/krb5-config to include
-lgssapi_spnego. After that it would work. Then, FreeBSD changed heimdal
to work without this tweak.)?
I don't know Oli, I am not sure I follow. I just hope it will be
resolved soon.
Can you think of any other way to settle down this thing? I've sent the
PR you proposed, and I included the patch you gave me, but this might
not be the real solution...
Thank you anyway, and I hope that things will be fixed.
Regards,
mamalos
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D9DBC79.1080000>