From owner-freebsd-apache@FreeBSD.ORG Fri Apr 8 13:41:57 2011 Return-Path: Delivered-To: apache@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C1241065670; Fri, 8 Apr 2011 13:41:57 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id CEAF08FC14; Fri, 8 Apr 2011 13:41:56 +0000 (UTC) Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr [155.207.33.29]) by vergina.eng.auth.gr (8.14.3/8.14.3) with ESMTP id p38DfsLG077005; Fri, 8 Apr 2011 16:41:54 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <4D9F109D.40300@eng.auth.gr> Date: Fri, 08 Apr 2011 16:41:49 +0300 From: George Mamalakis User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110109 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: ohauer@FreeBSD.org References: <4D9C6135.7030501@eng.auth.gr> <4D9CDF2C.4040201@FreeBSD.org> <4D9D6951.1020706@eng.auth.gr> <4D9D6D64.4070307@FreeBSD.org> <4D9DBC79.1080000@eng.auth.gr> <4D9DC73D.3000303@FreeBSD.org> In-Reply-To: <4D9DC73D.3000303@FreeBSD.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: apache@FreeBSD.org Subject: Re: [SPF:fail] Re: [SPF:fail] Re: [SPF:fail] Re: mod_auth_kerb2 X-BeenThere: freebsd-apache@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Support of apache-related ports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Apr 2011 13:41:57 -0000 On 07/04/2011 17:16, Olli Hauer wrote: > On 2011-04-07 15:30, George Mamalakis wrote: >> On 07/04/2011 10:53, Olli Hauer wrote: >>> On 2011-04-07 09:35, George Mamalakis wrote: >>>> On 07/04/2011 00:46, Olli Hauer wrote: >>>>> On 2011-04-06 14:48, George Mamalakis wrote: >>>>>> Dear Sir/Madam, >>>>>> >>>>>> I've tried to build mod_auth_kerb2 with apache-2.2.17_1 on a >>>>>> FreeBSD-8.2-STABLE >>>>>> system. After I gave make install and tried to restart apache, I received the >>>>>> following message: >>>>>> >>>>>> # /usr/local/etc/rc.d/apache22 start >>>>>> Performing sanity check on apache22 configuration: >>>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot >>>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>>>> "gsskrb5_register_acceptor_identity" >>>>>> Starting apache22. >>>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot >>>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>>>>> "gsskrb5_register_acceptor_identity" >>>>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 >>>>>> >>>>>> ldd showed: >>>>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so >>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: >>>>>> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) >>>>>> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) >>>>>> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) >>>>>> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) >>>>>> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) >>>>>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) >>>>>> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) >>>>>> libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) >>>>>> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) >>>>>> libc.so.7 => /lib/libc.so.7 (0x800647000) >>>>>> >>>>>> >>>>>> So, even though the configuration seemed to be just fine, the installation was >>>>>> not functional. We changed >>>>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile 3rd line to >>>>>> read: >>>>>> >>>>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 >>>>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt >>>>>> >>>>>> which means that we added gssapi_krb5 among the linker flags. Then we >>>>>> installed >>>>>> it and now it works fine. >>>>>> >>>>>> Please verify that this is a problem regarding the port, otherwise I should >>>>>> post >>>>>> this mail to the freebsd-stable list. >>>>>> >>>>>> Thank you for your time in advance, >>>>>> >>>>>> Regards, >>>>> I can confirm the issue, it's the /usr/bin/krb5-config script. >>>>> Heimdal was update from 0.6.3 to 1.1.0 and I guess this is a merge issue. >>>>> >>>>> The following patch correct the issue on FreeBSD-8.2. >>>>> >>>>> >>>>> --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 >>>>> +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 >>>>> @@ -93,7 +93,7 @@ >>>>> lib_flags="-L${libdir}" >>>>> case $library in >>>>> gssapi) >>>>> - lib_flags="$lib_flags -lgssapi -lheimntlm" >>>>> + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" >>>>> ;; >>>>> kadm-client) >>>>> lib_flags="$lib_flags -lkadm5clnt" >>>>> >>>>> >>>>> Can you open a PR for this? >>>>> >>>>> -- >>>>> Regards, >>>>> olli >>>> Oli thank you, >>>> >>>> Yes, I will open a PR. I have also confirmed that the heimdal-1.4 from ports >>>> does exactly the same thing. >>>> >>>> Thanks again for your reply. >>>> >>> Hi George, >>> >>> I also looked at the heimdal sources and ask the heimdal support if this flag is >>> missing. >>> I guess this issue exists only on FreeBSD >>> >>> >>> Question to heimdal support: >>>>> I suspect there is a bug in krb5-config since version 1.1 or earlier, >>>>> `krb5-config -libs' does not include '-lgssapi_krb5' >>>>> >>>>> Found this issue with mod_auth_kerb2, the module builds but cannot be loaded. >>>>> There are also other reports for broken cyrus-sassl ... >>>>> I even cannot found this entry in heimdal-1.5pre1 >>> Answer from heimdal support: >>>> Heimdal installs the gssapi framework as libgssapi, that includes the krb5 >>>> mech, heimdal have no libgssapi_krb5 >>>> >>> If I build heimdal direct from the heimdal-1.1 source, then indeed there is no >>> libgssapi_krb5. >>> >>> >>> -- >>> Regards, >>> olli >>> >> Oli, >> >> I am not sure I got you. If you build heimdal directly from source, it does not >> create a libgssapi_krb5.so.10 object? Then where are the relative functions >> defined? In some other shared object? And if so, then why does FreeBSD >> implementation work this way, if it brakes heimdal? And, finally, how can >> everything work once we change /usr/bin/krb5-config (This is the second time I >> had these issues with heimdal, the first time was with cyrus-sasl and spnego >> support, where I had to change the same line of /usr/bin/krb5-config to include >> -lgssapi_spnego. After that it would work. Then, FreeBSD changed heimdal to work >> without this tweak.)? >> >> I don't know Oli, I am not sure I follow. I just hope it will be resolved soon. >> >> Can you think of any other way to settle down this thing? I've sent the PR you >> proposed, and I included the patch you gave me, but this might not be the real >> solution... >> >> Thank you anyway, and I hope that things will be fixed. >> >> Regards, >> >> mamalos > > > Hi George, > > I don't know why but I suspect the FreeBSD-8.2 heimdal is a modified > heimdal-1.1 version. Maybe to it keep backward compatible? > > What I've done was to look into the sources from heimdal 1.1/1.2/1.3/1.4/1.5 > and there I haven't found a hint for libgssapi_krb5. Then I wrote to the heimdal > support and ask if this is a bug. The answer was there is no libgssapi_krb5! > > > I think only the secteam@ or dev@ can give a accurate answer if (and why) some > functions are moved to a dedicated lib. > > -- > Regards, > olli > Olli, probably the FreeBSD team must have changed Heimdal to suit specific needs. Will you contact secteam@ and/or dev@ regarding this issue? If so, I would be delighted if you could inform me in case an answer arises. Otherwise tell me how to contact them, and I will do so. Thanks again for all your help and interest, mamalos -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379