From owner-freebsd-current@FreeBSD.ORG Fri Sep 18 22:46:48 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E216106568F for ; Fri, 18 Sep 2009 22:46:48 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id 3F0058FC1C for ; Fri, 18 Sep 2009 22:46:47 +0000 (UTC) Received: from Macintosh-4.local (no-reverse.redstone-isp.net [212.44.18.222] (may be forged)) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id n8IMkXXY039068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 18 Sep 2009 15:46:38 -0700 (PDT) (envelope-from sam@freebsd.org) Message-ID: <4AB40DC7.2060808@freebsd.org> Date: Fri, 18 Sep 2009 23:46:31 +0100 From: Sam Leffler Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Rick Macklem References: <4AB27FB6.4010806@eng.auth.gr> <20090918034933.GI1231@rwpc12.mby.riverwillow.net.au> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-DCC-sonic.net-Metrics: ebb.errno.com; whitelist Cc: freebsd-stable , freebsd-current@freebsd.org, John Marshall , George Mamalakis Subject: Re: SASL problems with spnego on 8.0-BETA4 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 22:46:48 -0000 Rick Macklem wrote: > > > On Fri, 18 Sep 2009, John Marshall wrote: > >> On Thu, 17 Sep 2009, 21:28 +0300, George Mamalakis wrote: >>> Dear all, >>> >>> I am trying to setup ldap with heimdal on my fbsd 8.0-BETA4 and when I >>> run ldapsearch to see if I can authenticate via GSSAPI I keep getting >>> the following error: >>> >>> [root@ldap root]# ldapsearch -H "ldap://ldap.example.com/" -b >>> "dc=example,dc=com" >>> SASL/GSSAPI authentication started >>> dlopen: /usr/lib/libgssapi_spnego.so.10: Undefined symbol >>> "GSS_C_NT_HOSTBASED_SERVICE" >>> ldap_sasl_interactive_bind_s: Local error (-2) >>> > I don't know if you guys feel like experimenting, but here's what little > I know about the heimdal/gssapi setup. > > When cyrus-sasl2 builds, it uses the little shell script > /usr/bin/krb5-config with the args. "--libs gssapi" to get the list of > libraries to link against. This doesn't return "-lgssapi_spnego" in the > list. (The list can be changed by editting line #96 of > /usr/bin/krb5-config.) > > Nothing seems to link against "-lgssapi_spnego", so it's a mystery to > me how it ends up using it? (Maybe others with knowledge on how FreeBSD > loads libraries can explain it. The library is listed in /etc/gss/mech.) > > GSS_C_NT_HOSTBASED_SERVICE is defined in the file gss_names.o in > "-lgssapi", which is at the beginning of the list of libraries returned > by "krb5-config --libs gssapi". > > I'm hoping that someone who understands how libraries get loaded can > solve the puzzle, but barring that, you could try added "-lgssapi_spnego" > to line #96 of /usr/bin/krb5-config in front of "-lgssapi" and see if that > gets things to load properly? > > Not much help, but I don't know how to test this stuff, rick FWIW I hit the same problem (I think) with cyrus imap and saslauthd. I am running HEAD and tried building w/ and w/o kerberos enabled but cyradm aborts on startup complaining about the missing symbol. I started digging because I couldn't get cyrus imap to authenticate users. Feels like one or more of these ports are busted. Sam