On 19/10/2012 02:19 πμ, John Marshall wrote:
On 02/10/2012 02:08, George Mamalakis wrote:
On 04/07/11 14:08, George Mamalakis wrote:
On 06/04/2011 18:29, George Mamalakis wrote:
Dear all,
I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried
to use it. After the installation (which was successful(?!?)), the
server refused to start giving the error:
# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
httpd: Syntax error on line 103 of
/usr/local/etc/apache22/httpd.conf: Cannot load
/usr/local/libexec/apache22/mod_auth_kerb.so into server:
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
"gsskrb5_register_acceptor_identity"
Starting apache22.
httpd: Syntax error on line 103 of
/usr/local/etc/apache22/httpd.conf: Cannot load
/usr/local/libexec/apache22/mod_auth_kerb.so into server:
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
"gsskrb5_register_acceptor_identity"
/usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
but ldd showed:
# ldd /usr/local/libexec/apache22/mod_auth_kerb.so
/usr/local/libexec/apache22/mod_auth_kerb.so:
libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000)
libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000)
libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000)
libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000)
libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000)
libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000)
libc.so.7 => /lib/libc.so.7 (0x800647000)
which showed that everything should have been fine. I googled it a
bit and found this thread regarding my error message:
http://forum.nginx.org/read.php?23,88476 , which started on May 2010,
and pointed to this PR:
http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on
June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD,
and that it should be fixed at some moment in the future. (I tested
mod_auth_kerb2 on another machine running heimdal from ports (1.4_1)
and I had exactly the same problem).
I searched to find where this notorious function
(gsskrb5_register_acceptor_identity) was located, and I found its
declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition
in: /usr/lib/libgssapi_krb5.so.
So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of
/usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since
this where the location of gsskrb5_register_acceptor_identity
originally seemed to be, and reinstalled the port using gmake this
time (inside the port's work directory). After that, the module works
just fine. The initial content of this line was:
KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509
-lcom_err -lcrypto -lasn1 -lroken -lcrypt
I've sent an analogous email to the port maintainer, but I am not
sure if it is their "fault". Hence, I decided to send this email to
the stable list for two reasons: First, someone else may be having a
similar problem and wants to find a rough solution. Secondly, there
are people reading this list that know heimdal's code, so somebody
may know another (much more elegant) way to fix this bug.
Thank you all for your time in advance,
Regards,
mamalos.
OK,
I spoke with the maintainer who confirmed the problem. He also
suggested to change line 96 of /usb/bin/krb5-config to include
gssapi_krb5 among its libraries. He also gave me the relevant patch,
and asked me to send a PR to FreeBSD. The patch is as follows:
--- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100
+++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200
@@ -93,7 +93,7 @@
lib_flags="-L${libdir}"
case $library in
gssapi)
- lib_flags="$lib_flags -lgssapi -lheimntlm"
+ lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
;;
kadm-client)
lib_flags="$lib_flags -lkadm5clnt"
And the relevant PR is:
http://www.freebsd.org/cgi/query-pr.cgi?pr=156245
Thank you all for your time,
mamalos
Hi all,
I am bringing this matter back again because the same things hold for my
current system too (/usr/bin/krb5-config does not seem to link
gssapi-things properly):
# uname -a
FreeBSD example.com 9.0-STABLE FreeBSD 9.0-STABLE #0: Mon Jun 18
21:04:14 EEST 2012 [email protected]:/usr/obj/usr/src/sys/FILESRV amd64
# pkg_info -Ix apache kerb
ap22-mod_auth_kerb-5.4_3 An Apache module for authenticating users with
Kerberos v5
apache22-2.2.22_8 Version 2.2.x of Apache web server with prefork MPM.
Should I send a PR or is there something that I've done wrong?
I've seen the same thing on 8.3-RELEASE, 9.1-RC1 and 9.1-RC2. In all
cases, applying your patch (thank you!) to /usr/bin/krb5-config resolved
the issue. I did not need to patch krb5-config for other GSSAPI servers
to work (dovecot and sendmail) but they are obviously satisified with
-lgssapi and don't need routines supplied via -lgssapi_krb5. Thus far,
www/mod_auth_kerb2 is the only port I've used which appears to need
gssapi_krb5.
I think this is purely a FreeBSD Heimdal config issue.
John,
thank you for your confirmation on this. I really don't understand why
FreeBSD hasn't resolved this issue since 7 Apr 2011 when I first filed
this PR. Hope they'll do it this time (I sent a follow-up to my previous
PR).
George.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[email protected]"
