mod_auth_kerb2 broken in 8-STABLE? Or is it heimdal to blame?

George Mamalakis mamalos at eng.auth.gr
Wed Apr 6 15:29:47 UTC 2011 

Dear all,

I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried to 
use it. After the installation (which was successful(?!?)), the server 
refused to start giving the error:

# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: 
Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: 
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol 
"gsskrb5_register_acceptor_identity"
Starting apache22.
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: 
Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: 
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol 
"gsskrb5_register_acceptor_identity"
/usr/local/etc/rc.d/apache22: WARNING: failed to start apache22

but ldd showed:

# ldd /usr/local/libexec/apache22/mod_auth_kerb.so
/usr/local/libexec/apache22/mod_auth_kerb.so:
     libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000)
     libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000)
     libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000)
     libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000)
     libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000)
     libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000)
     libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000)
     libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000)
     libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000)
     libc.so.7 => /lib/libc.so.7 (0x800647000)

which showed that everything should have been fine. I googled it a bit 
and found this thread regarding my error message: 
http://forum.nginx.org/read.php?23,88476 , which started on May 2010, 
and pointed to this PR: 
http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on 
June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, 
and that it should be fixed at some moment in the future. (I tested 
mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) and 
I had exactly the same problem).

I searched to find where this notorious function 
(gsskrb5_register_acceptor_identity) was located, and I found its 
declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition 
in: /usr/lib/libgssapi_krb5.so.

So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of 
/usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since 
this where the location of gsskrb5_register_acceptor_identity originally 
seemed to be, and reinstalled the port using gmake this time (inside the 
port's work directory). After that, the module works just fine. The 
initial content of this line was:

KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err 
-lcrypto -lasn1 -lroken -lcrypt

I've sent an analogous email to the port maintainer, but I am not sure 
if it is their "fault". Hence, I decided to send this email to the 
stable list for two reasons: First, someone else may be having a similar 
problem and wants to find a rough solution. Secondly, there are people 
reading this list that know heimdal's code, so somebody may know another 
(much more elegant) way to fix this bug.

Thank you all for your time in advance,

Regards,

mamalos.

-- 
George Mamalakis

IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379

More information about the freebsd-stable mailing list