SASL problems with spnego on 8.0-BETA4

John Marshall john.marshall at riverwillow.com.au
Mon Sep 21 22:22:50 UTC 2009 

On Mon, 21 Sep 2009, 11:26 -0400, Rick Macklem wrote:
> 
> On Mon, 21 Sep 2009, George Mamalakis wrote:
> 
> [stuff snipped]
> >>
> >>SUCCESS!
> >>
> >>So, this fix obviates THAT reason for installing the Heimdal port.  If
> >>George meets with similar success adding -lgssapi_spnego for his spnego
> >>problem, I suggest that both libraries be added to the list in line 96
> >>of /usr/bin/krb5-config prior to release of FreeBSD 8.0.
> >>
> >>It doesn't look like this fix is as simple as submitting a patch to
> >>krb5-config.  It looks like magic needs to happen somewhere in the base
> >>kerberos build system.
> >>
> >>I notice that the Heimdal port doesn't build the separate libraries and
> >>everything seems to be included in libgssapi (which explains why sasl2
> >>"works" when linked against the Heimdal port).
> >>
> >>
> >Guys,
> >
> >I changed my /usr/bin/krb5-config's line 96 to include -lgssapi_spnego and 
> >-lgssapi_krb5, and ever since both client and server work correctly!! Of 
> >course I get some other error, but at least this must be a configuration 
> >error :).
> >
> >So, to sum up:
> >
> >Still running on fbsd.8-BETA4, changed krb5-config to include the missing 
> >libraries, recompiled cyrus-sasl-2.1.23 after I changed the krb5-config, 
> >restarted openldap-sasl-server-2.4.18_1 and after performing an 
> >ldapsearch, the client does not complain (and exits) about missing 
> >libraries, NOR does the server crash on sasl authentication.
> >
> >Great job guys, thank you all very very much for your help! I posted my 
> >query on the 17th of Sep. and in four days (weekend inclusive!) someone 
> >came up with an answer that resolves my issue! Great job, once more, and 
> >thank you all again!
> >
> Now, hopefully someone who understands enough about dynamic linking will
> know if this is the correct fix for 8.0? (I'm going on a couple of weeks
> vacation at the end of this week, so I won't be around to commit anything
> and don't understand it well enough to know if this is the correct way
> to fix it.)
> 
> So, hopefully someone else can pick this one up?
> 
> Thanks for testing it, rick

Thanks Rick for your very valuable guidance on this problem.  Have a
great vacation!

I have submitted a patch to the FreeBSD Makefile which patches the
vendor-supplied template for krb5-config.  I should be grateful if dfr@
or another src committer would please review this with a view to
obtaining re@ approval to commit it before 8.0-RC2.

<http://www.freebsd.org/cgi/query-pr.cgi?pr=139037>

-- 
John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20090921/be80b5c1/attachment-0001.pgp

More information about the freebsd-current mailing list