From owner-freebsd-apache@FreeBSD.ORG Thu Apr 7 14:16:37 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D218E1065672; Thu, 7 Apr 2011 14:16:37 +0000 (UTC) (envelope-from ohauer@FreeBSD.org) Received: from u18-124.dslaccess.de (unknown [194.231.39.124]) by mx1.freebsd.org (Postfix) with ESMTP id 41A448FC21; Thu, 7 Apr 2011 14:16:37 +0000 (UTC) Received: from [10.6.25.100] (cde1100.uni.vrs [10.6.25.100]) by u18-124.dslaccess.de (Postfix) with ESMTPSA id B36E02062C; Thu, 7 Apr 2011 16:16:31 +0200 (CEST) Message-ID: <4D9DC73D.3000303@FreeBSD.org> Date: Thu, 07 Apr 2011 16:16:29 +0200 From: Olli Hauer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: George Mamalakis References: <4D9C6135.7030501@eng.auth.gr> <4D9CDF2C.4040201@FreeBSD.org> <4D9D6951.1020706@eng.auth.gr> <4D9D6D64.4070307@FreeBSD.org> <4D9DBC79.1080000@eng.auth.gr> In-Reply-To: <4D9DBC79.1080000@eng.auth.gr> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: ohauer@FreeBSD.org, apache@FreeBSD.org Subject: Re: [SPF:fail] Re: [SPF:fail] Re: mod_auth_kerb2 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ohauer@FreeBSD.org List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Apr 2011 14:16:37 -0000 On 2011-04-07 15:30, George Mamalakis wrote: > On 07/04/2011 10:53, Olli Hauer wrote: >> On 2011-04-07 09:35, George Mamalakis wrote: >>> On 07/04/2011 00:46, Olli Hauer wrote: >>>> On 2011-04-06 14:48, George Mamalakis wrote: >>>>> Dear Sir/Madam, >>>>> >>>>> I've tried to build mod_auth_kerb2 with apache-2.2.17_1 on a >>>>> FreeBSD-8.2-STABLE >>>>> system. After I gave make install and tried to restart apache, I received the >>>>> following message: >>>>> >>>>> # /usr/local/etc/rc.d/apache22 start >>>>> Performing sanity check on apache22 configuration: >>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot >>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>>> "gsskrb5_register_acceptor_identity" >>>>> Starting apache22. >>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot >>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>>> "gsskrb5_register_acceptor_identity" >>>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 >>>>> >>>>> ldd showed: >>>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so >>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: >>>>> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) >>>>> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) >>>>> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) >>>>> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) >>>>> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) >>>>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) >>>>> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) >>>>> libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) >>>>> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) >>>>> libc.so.7 => /lib/libc.so.7 (0x800647000) >>>>> >>>>> >>>>> So, even though the configuration seemed to be just fine, the installation was >>>>> not functional. We changed >>>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile 3rd line to >>>>> read: >>>>> >>>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 >>>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt >>>>> >>>>> which means that we added gssapi_krb5 among the linker flags. Then we >>>>> installed >>>>> it and now it works fine. >>>>> >>>>> Please verify that this is a problem regarding the port, otherwise I should >>>>> post >>>>> this mail to the freebsd-stable list. >>>>> >>>>> Thank you for your time in advance, >>>>> >>>>> Regards, >>>> >>>> I can confirm the issue, it's the /usr/bin/krb5-config script. >>>> Heimdal was update from 0.6.3 to 1.1.0 and I guess this is a merge issue. >>>> >>>> The following patch correct the issue on FreeBSD-8.2. >>>> >>>> >>>> --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 >>>> +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 >>>> @@ -93,7 +93,7 @@ >>>> lib_flags="-L${libdir}" >>>> case $library in >>>> gssapi) >>>> - lib_flags="$lib_flags -lgssapi -lheimntlm" >>>> + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" >>>> ;; >>>> kadm-client) >>>> lib_flags="$lib_flags -lkadm5clnt" >>>> >>>> >>>> Can you open a PR for this? >>>> >>>> -- >>>> Regards, >>>> olli >>> Oli thank you, >>> >>> Yes, I will open a PR. I have also confirmed that the heimdal-1.4 from ports >>> does exactly the same thing. >>> >>> Thanks again for your reply. >>> >> Hi George, >> >> I also looked at the heimdal sources and ask the heimdal support if this flag is >> missing. >> I guess this issue exists only on FreeBSD >> >> >> Question to heimdal support: >>>> I suspect there is a bug in krb5-config since version 1.1 or earlier, >>>> `krb5-config -libs' does not include '-lgssapi_krb5' >>>> >>>> Found this issue with mod_auth_kerb2, the module builds but cannot be loaded. >>>> There are also other reports for broken cyrus-sassl ... >>>> I even cannot found this entry in heimdal-1.5pre1 >> Answer from heimdal support: >>> Heimdal installs the gssapi framework as libgssapi, that includes the krb5 >>> mech, heimdal have no libgssapi_krb5 >>> >> >> If I build heimdal direct from the heimdal-1.1 source, then indeed there is no >> libgssapi_krb5. >> >> >> -- >> Regards, >> olli >> > Oli, > > I am not sure I got you. If you build heimdal directly from source, it does not > create a libgssapi_krb5.so.10 object? Then where are the relative functions > defined? In some other shared object? And if so, then why does FreeBSD > implementation work this way, if it brakes heimdal? And, finally, how can > everything work once we change /usr/bin/krb5-config (This is the second time I > had these issues with heimdal, the first time was with cyrus-sasl and spnego > support, where I had to change the same line of /usr/bin/krb5-config to include > -lgssapi_spnego. After that it would work. Then, FreeBSD changed heimdal to work > without this tweak.)? > > I don't know Oli, I am not sure I follow. I just hope it will be resolved soon. > > Can you think of any other way to settle down this thing? I've sent the PR you > proposed, and I included the patch you gave me, but this might not be the real > solution... > > Thank you anyway, and I hope that things will be fixed. > > Regards, > > mamalos Hi George, I don't know why but I suspect the FreeBSD-8.2 heimdal is a modified heimdal-1.1 version. Maybe to it keep backward compatible? What I've done was to look into the sources from heimdal 1.1/1.2/1.3/1.4/1.5 and there I haven't found a hint for libgssapi_krb5. Then I wrote to the heimdal support and ask if this is a bug. The answer was there is no libgssapi_krb5! I think only the secteam@ or dev@ can give a accurate answer if (and why) some functions are moved to a dedicated lib. -- Regards, olli