SASL problems with spnego on 8.0-BETA4

John Marshall john.marshall at riverwillow.com.au
Mon Sep 21 01:29:09 UTC 2009 

On Sat, 19 Sep 2009, 09:31 +1000, John Marshall wrote:
> On Fri, 18 Sep 2009, 17:38 -0400, Rick Macklem wrote:
> > When cyrus-sasl2 builds, it uses the little shell script
> > /usr/bin/krb5-config with the args. "--libs gssapi" to get the list of
> > libraries to link against. This doesn't return "-lgssapi_spnego" in the
> > list. (The list can be changed by editting line #96 of 
> > /usr/bin/krb5-config.)
> 
> I think this sounds promising!  It makes sense.  Thanks for pointing us
> in this direction.

This morning, on my 8.0-RC1 system, I did the following to confirm that
GSSAPI authentication to the LDAP server via SASL2 using the base
Heimdal was still broken:

 - removed the heimdal-1.2.1 port
 - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
 - started the openldap-sasl-server-2.4.18_1
 - queried the LDAP server from a separate client using ldapsearch:
     --------
     SASL/GSSAPI authentication started
     ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
     --------
 - and noted that the ldap server died at that point.

I edited line 96 of /usr/bin/krb5-config to include -lgssapi_krb5 in the
libraries list:

        lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"

and then did the following:

 - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
 - started the openldap-sasl-server-2.4.18_1
 - queried the LDAP server from a separate client using ldapsearch
     --------
     SASL/GSSAPI authentication started
     SASL username: john at EXAMPLE.COM
     SASL SSF: 56
     SASL data security layer installed.
     # extended LDIF
     #
     # LDAPv3
     --------

SUCCESS!

So, this fix obviates THAT reason for installing the Heimdal port.  If
George meets with similar success adding -lgssapi_spnego for his spnego
problem, I suggest that both libraries be added to the list in line 96
of /usr/bin/krb5-config prior to release of FreeBSD 8.0.

It doesn't look like this fix is as simple as submitting a patch to
krb5-config.  It looks like magic needs to happen somewhere in the base
kerberos build system.

I notice that the Heimdal port doesn't build the separate libraries and
everything seems to be included in libgssapi (which explains why sasl2
"works" when linked against the Heimdal port).

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20090921/9c4836d1/attachment.pgp

More information about the freebsd-current mailing list