Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 08 Apr 2011 16:41:49 +0300
From:      George Mamalakis <mamalos@eng.auth.gr>
To:        ohauer@FreeBSD.org
Cc:        apache@FreeBSD.org
Subject:   Re: [SPF:fail] Re: [SPF:fail] Re: [SPF:fail] Re: mod_auth_kerb2
Message-ID:  <4D9F109D.40300@eng.auth.gr>
In-Reply-To: <4D9DC73D.3000303@FreeBSD.org>
References:  <4D9C6135.7030501@eng.auth.gr> <4D9CDF2C.4040201@FreeBSD.org>	<4D9D6951.1020706@eng.auth.gr> <4D9D6D64.4070307@FreeBSD.org> <4D9DBC79.1080000@eng.auth.gr> <4D9DC73D.3000303@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 07/04/2011 17:16, Olli Hauer wrote:
> On 2011-04-07 15:30, George Mamalakis wrote:
>> On 07/04/2011 10:53, Olli Hauer wrote:
>>> On 2011-04-07 09:35, George Mamalakis wrote:
>>>> On 07/04/2011 00:46, Olli Hauer wrote:
>>>>> On 2011-04-06 14:48, George Mamalakis wrote:
>>>>>> Dear Sir/Madam,
>>>>>>
>>>>>> I've tried to build mod_auth_kerb2 with apache-2.2.17_1 on a
>>>>>> FreeBSD-8.2-STABLE
>>>>>> system. After I gave make install and tried to restart apache, I received the
>>>>>> following message:
>>>>>>
>>>>>> # /usr/local/etc/rc.d/apache22 start
>>>>>> Performing sanity check on apache22 configuration:
>>>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>>>>> "gsskrb5_register_acceptor_identity"
>>>>>> Starting apache22.
>>>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>>>>> "gsskrb5_register_acceptor_identity"
>>>>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
>>>>>>
>>>>>> ldd showed:
>>>>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so
>>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so:
>>>>>>        libgssapi.so.10 =>    /usr/lib/libgssapi.so.10 (0x800c00000)
>>>>>>        libheimntlm.so.10 =>    /usr/lib/libheimntlm.so.10 (0x800d0a000)
>>>>>>        libkrb5.so.10 =>    /usr/lib/libkrb5.so.10 (0x800e0f000)
>>>>>>        libhx509.so.10 =>    /usr/lib/libhx509.so.10 (0x800f7e000)
>>>>>>        libcom_err.so.5 =>    /usr/lib/libcom_err.so.5 (0x8010be000)
>>>>>>        libcrypto.so.6 =>    /lib/libcrypto.so.6 (0x8011c0000)
>>>>>>        libasn1.so.10 =>    /usr/lib/libasn1.so.10 (0x801461000)
>>>>>>        libroken.so.10 =>    /usr/lib/libroken.so.10 (0x8015e3000)
>>>>>>        libcrypt.so.5 =>    /lib/libcrypt.so.5 (0x8016f5000)
>>>>>>        libc.so.7 =>    /lib/libc.so.7 (0x800647000)
>>>>>>
>>>>>>
>>>>>> So, even though the configuration seemed to be just fine, the installation was
>>>>>> not functional. We changed
>>>>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile 3rd line to
>>>>>> read:
>>>>>>
>>>>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509
>>>>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt
>>>>>>
>>>>>> which means that we added gssapi_krb5  among the linker flags. Then we
>>>>>> installed
>>>>>> it and now it works fine.
>>>>>>
>>>>>> Please verify that this is a problem regarding the port, otherwise I should
>>>>>> post
>>>>>> this mail to the freebsd-stable list.
>>>>>>
>>>>>> Thank you for your time in advance,
>>>>>>
>>>>>> Regards,
>>>>> I can confirm the issue, it's the /usr/bin/krb5-config script.
>>>>> Heimdal was update from 0.6.3 to 1.1.0 and I guess this is a merge issue.
>>>>>
>>>>> The following patch correct the issue on FreeBSD-8.2.
>>>>>
>>>>>
>>>>> --- /usr/bin/krb5-config.orig   2011-02-17 03:18:57.000000000 +0100
>>>>> +++ /usr/bin/krb5-config        2011-04-06 23:41:31.000000000 +0200
>>>>> @@ -93,7 +93,7 @@
>>>>>         lib_flags="-L${libdir}"
>>>>>         case $library in
>>>>>         gssapi)
>>>>> -       lib_flags="$lib_flags -lgssapi -lheimntlm"
>>>>> +       lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
>>>>>            ;;
>>>>>         kadm-client)
>>>>>            lib_flags="$lib_flags -lkadm5clnt"
>>>>>
>>>>>
>>>>> Can you open a PR for this?
>>>>>
>>>>> -- 
>>>>> Regards,
>>>>> olli
>>>> Oli thank you,
>>>>
>>>> Yes, I will open a PR. I have also confirmed that the heimdal-1.4 from ports
>>>> does exactly the same thing.
>>>>
>>>> Thanks again for your reply.
>>>>
>>> Hi George,
>>>
>>> I also looked at the heimdal sources and ask the heimdal support if this flag is
>>> missing.
>>> I guess this issue exists only on FreeBSD
>>>
>>>
>>> Question to heimdal support:
>>>>> I suspect there is a bug in krb5-config since version 1.1 or earlier,
>>>>> `krb5-config -libs' does not include '-lgssapi_krb5'
>>>>>
>>>>> Found this issue with mod_auth_kerb2, the module builds but cannot be loaded.
>>>>> There are also other reports for broken cyrus-sassl ...
>>>>> I even cannot found this entry in heimdal-1.5pre1
>>> Answer from heimdal support:
>>>> Heimdal installs the gssapi framework as libgssapi, that includes the krb5
>>>> mech, heimdal have no libgssapi_krb5
>>>>
>>> If I build heimdal direct from the heimdal-1.1 source, then indeed there is no
>>> libgssapi_krb5.
>>>
>>>
>>> -- 
>>> Regards,
>>> olli
>>>
>> Oli,
>>
>> I am not sure I got you. If you build heimdal directly from source, it does not
>> create a libgssapi_krb5.so.10 object? Then where are the relative functions
>> defined? In some other shared object? And if so, then why does FreeBSD
>> implementation work this way, if it brakes heimdal? And, finally, how can
>> everything work once we change /usr/bin/krb5-config (This is the second time I
>> had these issues with heimdal, the first time was with cyrus-sasl and spnego
>> support, where I had to change the same line of /usr/bin/krb5-config to include
>> -lgssapi_spnego. After that it would work. Then, FreeBSD changed heimdal to work
>> without this tweak.)?
>>
>> I don't know Oli, I am not sure I follow. I just hope it will be resolved soon.
>>
>> Can you think of any other way to settle down this thing? I've sent the PR you
>> proposed, and I included the patch you gave me, but this might not be the real
>> solution...
>>
>> Thank you anyway, and I hope that things will be fixed.
>>
>> Regards,
>>
>> mamalos
>
>
> Hi George,
>
> I don't know why but I suspect the FreeBSD-8.2 heimdal is a modified
> heimdal-1.1 version. Maybe to it keep backward compatible?
>
> What I've done was to look into the sources from heimdal 1.1/1.2/1.3/1.4/1.5
> and there I haven't found a hint for libgssapi_krb5. Then I wrote to the heimdal
> support and ask if this is a bug. The answer was there is no libgssapi_krb5!
>
>
> I think only the secteam@ or dev@ can give a accurate answer if (and why) some
> functions are moved to a dedicated lib.
>
> --
> Regards,
> olli
>
Olli,

probably the FreeBSD team must have changed Heimdal to suit specific 
needs. Will you contact secteam@ and/or dev@ regarding this issue? If 
so, I would be delighted if you could inform me in case an answer 
arises. Otherwise tell me how to contact them, and I will do so.

Thanks again for all your help and interest,

mamalos

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D9F109D.40300>