[SPF:fail] Re: [SPF:fail] Re: mod_auth_kerb2

Thu Apr 7 14:16:37 UTC 2011

On 2011-04-07 15:30, George Mamalakis wrote:
> On 07/04/2011 10:53, Olli Hauer wrote:
>> On 2011-04-07 09:35, George Mamalakis wrote:
>>> On 07/04/2011 00:46, Olli Hauer wrote:
>>>> On 2011-04-06 14:48, George Mamalakis wrote:
>>>>> Dear Sir/Madam,
>>>>>
>>>>> I've tried to build mod_auth_kerb2 with apache-2.2.17_1 on a
>>>>> FreeBSD-8.2-STABLE
>>>>> system. After I gave make install and tried to restart apache, I received the
>>>>> following message:
>>>>>
>>>>> # /usr/local/etc/rc.d/apache22 start
>>>>> Performing sanity check on apache22 configuration:
>>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>>>> "gsskrb5_register_acceptor_identity"
>>>>> Starting apache22.
>>>>> httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot
>>>>> load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>>>> "gsskrb5_register_acceptor_identity"
>>>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
>>>>>
>>>>> ldd showed:
>>>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so
>>>>> /usr/local/libexec/apache22/mod_auth_kerb.so:
>>>>>       libgssapi.so.10 =>   /usr/lib/libgssapi.so.10 (0x800c00000)
>>>>>       libheimntlm.so.10 =>   /usr/lib/libheimntlm.so.10 (0x800d0a000)
>>>>>       libkrb5.so.10 =>   /usr/lib/libkrb5.so.10 (0x800e0f000)
>>>>>       libhx509.so.10 =>   /usr/lib/libhx509.so.10 (0x800f7e000)
>>>>>       libcom_err.so.5 =>   /usr/lib/libcom_err.so.5 (0x8010be000)
>>>>>       libcrypto.so.6 =>   /lib/libcrypto.so.6 (0x8011c0000)
>>>>>       libasn1.so.10 =>   /usr/lib/libasn1.so.10 (0x801461000)
>>>>>       libroken.so.10 =>   /usr/lib/libroken.so.10 (0x8015e3000)
>>>>>       libcrypt.so.5 =>   /lib/libcrypt.so.5 (0x8016f5000)
>>>>>       libc.so.7 =>   /lib/libc.so.7 (0x800647000)
>>>>>
>>>>>
>>>>> So, even though the configuration seemed to be just fine, the installation was
>>>>> not functional. We changed
>>>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile 3rd line to
>>>>> read:
>>>>>
>>>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509
>>>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt
>>>>>
>>>>> which means that we added gssapi_krb5  among the linker flags. Then we
>>>>> installed
>>>>> it and now it works fine.
>>>>>
>>>>> Please verify that this is a problem regarding the port, otherwise I should
>>>>> post
>>>>> this mail to the freebsd-stable list.
>>>>>
>>>>> Thank you for your time in advance,
>>>>>
>>>>> Regards,
>>>>
>>>> I can confirm the issue, it's the /usr/bin/krb5-config script.
>>>> Heimdal was update from 0.6.3 to 1.1.0 and I guess this is a merge issue.
>>>>
>>>> The following patch correct the issue on FreeBSD-8.2.
>>>>
>>>>
>>>> --- /usr/bin/krb5-config.orig   2011-02-17 03:18:57.000000000 +0100
>>>> +++ /usr/bin/krb5-config        2011-04-06 23:41:31.000000000 +0200
>>>> @@ -93,7 +93,7 @@
>>>>        lib_flags="-L${libdir}"
>>>>        case $library in
>>>>        gssapi)
>>>> -       lib_flags="$lib_flags -lgssapi -lheimntlm"
>>>> +       lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
>>>>           ;;
>>>>        kadm-client)
>>>>           lib_flags="$lib_flags -lkadm5clnt"
>>>>
>>>>
>>>> Can you open a PR for this?
>>>>
>>>> -- 
>>>> Regards,
>>>> olli
>>> Oli thank you,
>>>
>>> Yes, I will open a PR. I have also confirmed that the heimdal-1.4 from ports
>>> does exactly the same thing.
>>>
>>> Thanks again for your reply.
>>>
>> Hi George,
>>
>> I also looked at the heimdal sources and ask the heimdal support if this flag is
>> missing.
>> I guess this issue exists only on FreeBSD
>>
>>
>> Question to heimdal support:
>>>> I suspect there is a bug in krb5-config since version 1.1 or earlier,
>>>> `krb5-config -libs' does not include '-lgssapi_krb5'
>>>>
>>>> Found this issue with mod_auth_kerb2, the module builds but cannot be loaded.
>>>> There are also other reports for broken cyrus-sassl ...
>>>> I even cannot found this entry in heimdal-1.5pre1
>> Answer from heimdal support:
>>> Heimdal installs the gssapi framework as libgssapi, that includes the krb5
>>> mech, heimdal have no libgssapi_krb5
>>>
>>
>> If I build heimdal direct from the heimdal-1.1 source, then indeed there is no
>> libgssapi_krb5.
>>
>>
>> -- 
>> Regards,
>> olli
>>
> Oli,
> 
> I am not sure I got you. If you build heimdal directly from source, it does not
> create a libgssapi_krb5.so.10 object? Then where are the relative functions
> defined? In some other shared object? And if so, then why does FreeBSD
> implementation work this way, if it brakes heimdal? And, finally, how can
> everything work once we change /usr/bin/krb5-config (This is the second time I
> had these issues with heimdal, the first time was with cyrus-sasl and spnego
> support, where I had to change the same line of /usr/bin/krb5-config to include
> -lgssapi_spnego. After that it would work. Then, FreeBSD changed heimdal to work
> without this tweak.)?
> 
> I don't know Oli, I am not sure I follow. I just hope it will be resolved soon.
> 
> Can you think of any other way to settle down this thing? I've sent the PR you
> proposed, and I included the patch you gave me, but this might not be the real
> solution...
> 
> Thank you anyway, and I hope that things will be fixed.
> 
> Regards,
> 
> mamalos

Hi George,

I don't know why but I suspect the FreeBSD-8.2 heimdal is a modified
heimdal-1.1 version. Maybe to it keep backward compatible?

What I've done was to look into the sources from heimdal 1.1/1.2/1.3/1.4/1.5
and there I haven't found a hint for libgssapi_krb5. Then I wrote to the heimdal
support and ask if this is a bug. The answer was there is no libgssapi_krb5!

I think only the secteam@ or dev@ can give a accurate answer if (and why) some
functions are moved to a dedicated lib.

--
Regards,
olli