misc/156245: [patch] heimdal 1.1 broken in 8-stable and 8-release as far as gssapi_krb5 is concerned

George Mamalakis mamalos at eng.auth.gr
Thu Apr 7 10:40:11 UTC 2011 

>Number:         156245
>Category:       misc
>Synopsis:       [patch] heimdal 1.1 broken in 8-stable and 8-release as far as gssapi_krb5 is concerned
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 07 10:40:10 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     George Mamalakis
>Release:        8-2-STABLE and 8-0-STABLE
>Organization:
Aristotle Univ. of Thessaloniki, Greece
>Environment:
FreeBSD mymachine 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Mar 12 09:13:01 EET 2011     root at mymachine:/usr/obj/usr/src/sys/CUSTOM  amd64

>Description:
I installed mod_auth_kerb2 on my FreeBSD 8.2-STABLE machine and tried to use it. After the installation (which was successful(?!?)), the server refused to start and reported the following error:

# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity"
Starting apache22.
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity"
/usr/local/etc/rc.d/apache22: WARNING: failed to start apache22

while ldd showed:

# ldd /usr/local/libexec/apache22/mod_auth_kerb.so
/usr/local/libexec/apache22/mod_auth_kerb.so:
    libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000)
    libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000)
    libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000)
    libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000)
    libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000)
    libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000)
    libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000)
    libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000)
    libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000)
    libc.so.7 => /lib/libc.so.7 (0x800647000)

which showed that everything should have been fine. I googled it a bit and found this thread regarding my error message: http://forum.nginx.org/read.php?23,88476 , which started on May 2010, and pointed to this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, and that it should be fixed at some moment in the future. (I tested mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) and I had exactly the same problem).

I searched to find where this notorious function (gsskrb5_register_acceptor_identity) was located, and I found its declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition in: /usr/lib/libgssapi_krb5.so.

So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since this where the location of gsskrb5_register_acceptor_identity originally seemed to be, and reinstalled the port using gmake this time (inside the port's work directory). After that, the module works just fine. The initial content of this line was:

KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt

I've contacted the maintainers of the port, and confirmed the bug. They stated that the problem is related to /usr/bin/krb5-config, which fails to advertise gssapi_krb5 among its libraries. They also suggested me to send this PR along with the following patch. 

If that line changes in /usr/bin/krb5-config, and the port is recompiled, then everything works as should. 

>How-To-Repeat:
Install www/apache22 and subsequently www/mod_auth_krb5. Then try to start apache, and it will fail.
>Fix:
Change line 96 of /usr/bin/krb5-config to read:
lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"

or change the work-dir's Makefile of www/mod_auth_krb5 port to include gssapi_krb5 (line 3), so the changed line should read:

KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt

Patch attached with submission follows:

--- /usr/bin/krb5-config.orig   2011-02-17 03:18:57.000000000 +0100
+++ /usr/bin/krb5-config        2011-04-06 23:41:31.000000000 +0200
@@ -93,7 +93,7 @@
     lib_flags="-L${libdir}"
     case $library in
     gssapi)
-       lib_flags="$lib_flags -lgssapi -lheimntlm"
+       lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
        ;;
     kadm-client)
        lib_flags="$lib_flags -lkadm5clnt"


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list