Edit report at https://bugs.php.net/bug.php?id=54716&edit=1
ID: 54716
Comment by: debian at linux dot org
Reported by: dominik dot szybowski at bzwbk dot pl
Summary: Internal Server Error when php compiled with oci
driver
Status: Feedback
Type: Bug
Package: OCI8 related
Operating System: AIX
PHP Version: 5.2.17
Block user comment: N
Private report: N
New Comment:
In our case the PDO Oracle driver break kerberos config.
No need to use it, the bug appears when reloading Apache if the PDO Oracle
driver is "ON".
Just disabled it.
Previous Comments:
------------------------------------------------------------------------
[2012-08-24 06:44:48] debian at linux dot org
My Configuration :
- Debian GNU/Linux 6 64-bit
- Oracle Instantclient 11.2
- PHP 5.3.14
- mod_auth_kerb 5.4
- Apache 2.2.16
- Kerberos Heimdal
This can be reproduced using Apache graceful command.
Just after the mod_auth_kerb will fail to read the kerberos conf
gss_import_name() failed: Miscellaneous failure (, Can't open/find Kerberos
configuration file. it will use the same default kerberos configuration as
Oracle Database !!!
You can force the path using sqlnet.ora but it will fail after when using gss
acquire credential (unknown error 2 or 21).
We did not find a fix.
------------------------------------------------------------------------
[2012-01-09 14:01:56] rattlebrain at gmx dot net
I have a similar problem.
mod_auth_kerb works fine as long as I don't use the PHP OCI8 extension. As soon
as I load the OCI8 extension, mod_auth_kerb starts to behave weird. After an
Apache (re)start everything is fine, but when I reload Apache I'm getting in a
browser "Internal Server Error" and in the error log (just like the topic
starter):
[Mon Jan 09 14:33:00 2012] [error] [client 10.206.33.199] gss_import_name()
failed: Miscellaneous failure (, Can't open/find Kerberos configuration file)
After stracing the Apache processes it appeared that /krb5/krb.conf is trying
to be opened, but obviously fails on a Linux system. I could prove that Oracle
OCI is doing this by setting the SQLNET.KERBEROS5_CONF parameter to a different
value in sqlnet.ora.
So in some way OCI mixes up the Kerberos stuff that mod_auth_kerb is using, but
only when Apache is reloaded. Without everything works perfect, including the
PHP OCI8 stuff.
I'm using:
- Debian GNU/Linux 6 64-bit
- Oracle Instantclient Basic 11.2.0.2.0
- PHP 5.3.3 (Debian package rebuild to include OCI8)
- mod_auth_kerb 5.4
- Apache 2.2.16
To create the OCI8 stuff I added the following parameters to the standard
Debian PHP build parameters:
--with-oci8=shared,/usr
--with-pdo-oci=shared,/usr
This is the complete configure command:
CFLAGS="-g -O2 -O2 -Wall -fsigned-char -fno-strict-aliasing -gstabs"
PROG_SENDMAIL="/usr/sbin/sendmail" ../configure \
--prefix=/usr --with-apxs2=/usr/bin/apxs2 \
--with-config-file-path=/etc/php5/apache2 \
--with-config-file-scan-dir=/etc/php5/apache2/conf.d \
--build=x86_64-linux-gnu --host=x86_64-linux-gnu
--sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man --disable-debug
--with-regex=php --disable-rp
ath --disable-static --with-pic --with-layout=GNU --with-pear=/usr/share/php
--enable-calendar --enable-sysvsem --enable-sysvshm --enable-sysvmsg
--enable-bcmath --with-bz2
--enable-ctype --with-db4 --with-qdbm=/usr --without-gdbm --with-iconv
--enable-exif --enable-ftp --with-gettext --enable-mbstring --with-onig=/usr
--with-pcre-regex=/usr --
enable-shmop --enable-sockets --enable-wddx --with-libxml-dir=/usr --with-zlib
--with-kerberos=/usr --with-openssl=/usr --enable-soap --enable-zip
--with-mhash=yes --with-ex
ec-dir=/usr/lib/php5/libexec --with-system-tzdata \
--without-mm \
--with-curl=shared,/usr \
--with-enchant=shared,/usr \
--with-zlib-dir=/usr \
--with-gd=shared,/usr --enable-gd-native-ttf \
--with-gmp=shared,/usr \
--with-jpeg-dir=shared,/usr \
--with-xpm-dir=shared,/usr/X11R6 \
--with-png-dir=shared,/usr \
--with-freetype-dir=shared,/usr \
--with-imap=shared,/usr \
--with-imap-ssl \
--with-interbase=shared,/usr --with-pdo-firebird=shared,/usr \
--enable-intl=shared \
--with-ttf=shared,/usr \
--with-t1lib=shared,/usr \
--with-ldap=shared,/usr \
--with-ldap-sasl=/usr \
--with-mcrypt=shared,/usr \
--with-mysql=shared,/usr \
--with-mysqli=shared,/usr/bin/mysql_config \
--with-pspell=shared,/usr \
--with-unixODBC=shared,/usr \
--with-recode=shared,/usr \
--with-xsl=shared,/usr \
--with-snmp=shared,/usr \
--with-sqlite=shared,/usr \
--with-sqlite3=shared,/usr \
--with-mssql=shared,/usr \
--with-tidy=shared,/usr \
--with-xmlrpc=shared \
--with-pgsql=shared,/usr PGSQL_INCLUDE=`pg_config --includedir`
\
--with-oci8=shared,/usr \
--enable-pdo=shared \
--without-pdo-dblib \
--with-pdo-mysql=shared,/usr \
--with-pdo-odbc=shared,unixODBC,/usr \
--with-pdo-pgsql=shared,/usr/bin/pg_config \
--with-pdo-oci=shared,/usr \
--with-pdo-sqlite=shared,/usr \
--with-pdo-dblib=shared,/usr
The relevant Apache config block:
<Location />
AuthName "Restricted Area"
AuthType Kerberos
AuthzUnixgroup On
AuthzUnixgroupAuthoritative On
Krb5Keytab /etc/apache2/krb5.keytab
KrbAuthoritative On
KrbDelegateBasic Off
KrbLocalUserMapping On
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbSaveCredentials Off
KrbServiceName HTTP/[email protected]
KrbVerifyKDC On
Require group admins
</Location>
The content on the webserver doesn't matter, Apache breaks before the content
can be read, so it doesn't help to provide a script.
I hope this helps. Do you need anything else?
------------------------------------------------------------------------
[2011-11-07 22:24:58] [email protected]
Please provide more details, including the complete build steps and a script
that
causes the error
------------------------------------------------------------------------
[2011-05-12 10:53:03] dominik dot szybowski at bzwbk dot pl
Description:
------------
Apache server throws internal server error during sso kerberos authentication
when php is compiled with parameter
--with-oci8=instantclient,/usr/local/instantclient_11_1/lib
We have currently working apache 2.2.17 server with php 5.2.17 (other versions
was also tested) configured with mit kerberos 5.1.6 and mod_auth_kerb5.4
kerberos module. Before we try to add oci connection to oracle everything works
fine and users was authenticated by sso. After we recompiled php with oci our
apache instance can't load kerberos configuration file and throws internal
server error. It can be related to issue with subprocesses
http://bugs.php.net/bug.php?id=9013
I already tried oracle support but they didn't like to help with php.
Expected result:
----------------
Error log without oci (works fine):
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1628): [client host]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos,
referer: https://host/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1240): [client host]
Acquiring creds for HTTP/host@domain, referer:
https://10.151.67.126/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1385): [client host]
Verifying client data using KRB5 GSS-API with our SPNEGO lib, referer:
https://host/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1401): [client host]
Client didn't delegate us their credential, referer:
https://10.151.67.126/altair/views/show_docclasses.php
[Wed May 11 16:39:54 2011] [debug] src/mod_auth_kerb.c(1420): [client host]
GSS-API token of length 161 bytes will be sent back, referer:
Actual result:
--------------
Error log with oci:
[Fri May 06 17:25:38 2011] [debug] src/mod_auth_kerb.c(1628): [client
10.150.203.118] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Fri May 06 17:25:38 2011] [debug] src/mod_auth_kerb.c(1101): [client
10.150.203.118] GSS-API major_status:000d0000, minor_status:96c73a87
[Fri May 06 17:25:38 2011] [error] [client 10.150.203.118] gss_import_name()
failed: Miscellaneous failure (, Can't open/find Kerberos configuration file)
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=54716&edit=1
