mod_auth_kerb2 broken in 8-STABLE? Or is it heimdal to blame?

John Marshall john.marshall at riverwillow.com.au
Thu Oct 18 23:20:21 UTC 2012 

On 02/10/2012 02:08, George Mamalakis wrote:
> On 04/07/11 14:08, George Mamalakis wrote:
>> On 06/04/2011 18:29, George Mamalakis wrote:
>>> Dear all,
>>>
>>> I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried
>>> to use it. After the installation (which was successful(?!?)), the
>>> server refused to start giving the error:
>>>
>>> # /usr/local/etc/rc.d/apache22 start
>>> Performing sanity check on apache22 configuration:
>>> httpd: Syntax error on line 103 of
>>> /usr/local/etc/apache22/httpd.conf: Cannot load
>>> /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>> "gsskrb5_register_acceptor_identity"
>>> Starting apache22.
>>> httpd: Syntax error on line 103 of
>>> /usr/local/etc/apache22/httpd.conf: Cannot load
>>> /usr/local/libexec/apache22/mod_auth_kerb.so into server:
>>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
>>> "gsskrb5_register_acceptor_identity"
>>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
>>>
>>> but ldd showed:
>>>
>>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so
>>> /usr/local/libexec/apache22/mod_auth_kerb.so:
>>>     libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000)
>>>     libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000)
>>>     libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000)
>>>     libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000)
>>>     libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000)
>>>     libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000)
>>>     libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000)
>>>     libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000)
>>>     libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000)
>>>     libc.so.7 => /lib/libc.so.7 (0x800647000)
>>>
>>> which showed that everything should have been fine. I googled it a
>>> bit and found this thread regarding my error message:
>>> http://forum.nginx.org/read.php?23,88476 , which started on May 2010,
>>> and pointed to this PR:
>>> http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on
>>> June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD,
>>> and that it should be fixed at some moment in the future. (I tested
>>> mod_auth_kerb2 on another machine running heimdal from ports (1.4_1)
>>> and I had exactly the same problem).
>>>
>>> I searched to find where this notorious function
>>> (gsskrb5_register_acceptor_identity) was located, and I found its
>>> declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition
>>> in: /usr/lib/libgssapi_krb5.so.
>>>
>>> So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of
>>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since
>>> this where the location of gsskrb5_register_acceptor_identity
>>> originally seemed to be, and reinstalled the port using gmake this
>>> time (inside the port's work directory). After that, the module works
>>> just fine. The initial content of this line was:
>>>
>>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509
>>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt
>>>
>>> I've sent an analogous email to the port maintainer, but I am not
>>> sure if it is their "fault". Hence, I decided to send this email to
>>> the stable list for two reasons: First, someone else may be having a
>>> similar problem and wants to find a rough solution. Secondly, there
>>> are people reading this list that know heimdal's code, so somebody
>>> may know another (much more elegant) way to fix this bug.
>>>
>>> Thank you all for your time in advance,
>>>
>>> Regards,
>>>
>>> mamalos.
>>>
>>
>> OK,
>>
>> I spoke with the maintainer who confirmed the problem. He also
>> suggested to change line 96 of /usb/bin/krb5-config to include
>> gssapi_krb5 among its libraries. He also gave me the relevant patch,
>> and asked me to send a PR to FreeBSD. The patch is as follows:
>>
>> --- /usr/bin/krb5-config.orig   2011-02-17 03:18:57.000000000 +0100
>> +++ /usr/bin/krb5-config        2011-04-06 23:41:31.000000000 +0200
>> @@ -93,7 +93,7 @@
>>      lib_flags="-L${libdir}"
>>      case $library in
>>      gssapi)
>> -       lib_flags="$lib_flags -lgssapi -lheimntlm"
>> +       lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
>>         ;;
>>      kadm-client)
>>         lib_flags="$lib_flags -lkadm5clnt"
>>
>>
>>
>> And the relevant PR is:
>>
>> http://www.freebsd.org/cgi/query-pr.cgi?pr=156245
>>
>> Thank you all for your time,
>>
>> mamalos
>>
> Hi all,
> 
> I am bringing this matter back again because the same things hold for my
> current system too (/usr/bin/krb5-config does not seem to link
> gssapi-things properly):
> 
> # uname -a
> FreeBSD example.com 9.0-STABLE FreeBSD 9.0-STABLE #0: Mon Jun 18
> 21:04:14 EEST 2012 root at example.com:/usr/obj/usr/src/sys/FILESRV  amd64
> # pkg_info -Ix apache kerb
> ap22-mod_auth_kerb-5.4_3 An Apache module for authenticating users with
> Kerberos v5
> apache22-2.2.22_8   Version 2.2.x of Apache web server with prefork MPM.
> 
> Should I send a PR or is there something that I've done wrong?

I've seen the same thing on 8.3-RELEASE, 9.1-RC1 and 9.1-RC2. In all
cases, applying your patch (thank you!) to /usr/bin/krb5-config resolved
the issue. I did not need to patch krb5-config for other GSSAPI servers
to work (dovecot and sendmail) but they are obviously satisified with
-lgssapi and don't need routines supplied via -lgssapi_krb5. Thus far,
www/mod_auth_kerb2 is the only port I've used which appears to need
gssapi_krb5.

I think this is purely a FreeBSD Heimdal config issue.

-- 
John Marshall

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20121019/c7269868/attachment.sig>

More information about the freebsd-stable mailing list