[SPF:fail] Re: mod_auth_kerb2
    Olli Hauer 
    ohauer at FreeBSD.org
       
    Thu Apr  7 07:53:18 UTC 2011
    
    
  
On 2011-04-07 09:35, George Mamalakis wrote:
> On 07/04/2011 00:46, Olli Hauer wrote:
>> On 2011-04-06 14:48, George Mamalakis wrote:
>>> Dear Sir/Madam,
>>>
>>> I've tried to build mod_auth_kerb2 with apache-2.2.17_1 on a FreeBSD-8.2-STABLE
>>> system. After I gave make install and tried to restart apache, I received the
>>> following message:
>>>
>>> # /usr/local/etc/rc.d/apache22 start
>>> Performing sanity check on apache22 configuration:
>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>> "gsskrb5_register_acceptor_identity"
>>> Starting apache22.
>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>> "gsskrb5_register_acceptor_identity"
>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
>>>
>>> ldd showed:
>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so
>>> /usr/local/libexec/apache22/mod_auth_kerb.so:
>>>      libgssapi.so.10 =>  /usr/lib/libgssapi.so.10 (0x800c00000)
>>>      libheimntlm.so.10 =>  /usr/lib/libheimntlm.so.10 (0x800d0a000)
>>>      libkrb5.so.10 =>  /usr/lib/libkrb5.so.10 (0x800e0f000)
>>>      libhx509.so.10 =>  /usr/lib/libhx509.so.10 (0x800f7e000)
>>>      libcom_err.so.5 =>  /usr/lib/libcom_err.so.5 (0x8010be000)
>>>      libcrypto.so.6 =>  /lib/libcrypto.so.6 (0x8011c0000)
>>>      libasn1.so.10 =>  /usr/lib/libasn1.so.10 (0x801461000)
>>>      libroken.so.10 =>  /usr/lib/libroken.so.10 (0x8015e3000)
>>>      libcrypt.so.5 =>  /lib/libcrypt.so.5 (0x8016f5000)
>>>      libc.so.7 =>  /lib/libc.so.7 (0x800647000)
>>>
>>>
>>> So, even though the configuration seemed to be just fine, the installation was
>>> not functional. We changed
>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile 3rd line to read:
>>>
>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509
>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt
>>>
>>> which means that we added gssapi_krb5  among the linker flags. Then we installed
>>> it and now it works fine.
>>>
>>> Please verify that this is a problem regarding the port, otherwise I should post
>>> this mail to the freebsd-stable list.
>>>
>>> Thank you for your time in advance,
>>>
>>> Regards,
>>
>>
>> I can confirm the issue, it's the /usr/bin/krb5-config script.
>> Heimdal was update from 0.6.3 to 1.1.0 and I guess this is a merge issue.
>>
>> The following patch correct the issue on FreeBSD-8.2.
>>
>>
>> --- /usr/bin/krb5-config.orig   2011-02-17 03:18:57.000000000 +0100
>> +++ /usr/bin/krb5-config        2011-04-06 23:41:31.000000000 +0200
>> @@ -93,7 +93,7 @@
>>       lib_flags="-L${libdir}"
>>       case $library in
>>       gssapi)
>> -       lib_flags="$lib_flags -lgssapi -lheimntlm"
>> +       lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
>>          ;;
>>       kadm-client)
>>          lib_flags="$lib_flags -lkadm5clnt"
>>
>>
>> Can you open a PR for this?
>>
>> -- 
>> Regards,
>> olli
> 
> Oli thank you,
> 
> Yes, I will open a PR. I have also confirmed that the heimdal-1.4 from ports
> does exactly the same thing.
> 
> Thanks again for your reply.
> 
Hi George,
I also looked at the heimdal sources and ask the heimdal support if this flag is
missing.
I guess this issue exists only on FreeBSD
Question to heimdal support:
>> I suspect there is a bug in krb5-config since version 1.1 or earlier,
>> `krb5-config -libs' does not include '-lgssapi_krb5'
>> 
>> Found this issue with mod_auth_kerb2, the module builds but cannot be loaded.
>> There are also other reports for broken cyrus-sassl ...
>> I even cannot found this entry in heimdal-1.5pre1
Answer from heimdal support:
> Heimdal installs the gssapi framework as libgssapi, that includes the krb5 mech, heimdal have no libgssapi_krb5
> 
If I build heimdal direct from the heimdal-1.1 source, then indeed there is no
libgssapi_krb5.
--
Regards,
olli
    
    
More information about the freebsd-apache
mailing list