280025 – security/py-krb5: Undefined symbol "krb5_init_creds_free"

Bug 280025 - security/py-krb5: Undefined symbol "krb5_init_creds_free"

Summary: security/py-krb5: Undefined symbol "krb5_init_creds_free"

Status:	New

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Po-Chuan Hsieh

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-06-27 23:26 UTC by Mikhail Teterin
Modified:	2025-04-03 16:53 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (sunpoet)

Attachments
Work with newer Python-versions (2.98 KB, patch) 2025-04-01 17:07 UTC, Mikhail Teterin	no flags	Details \| Diff
Only disable ignore_realm, when building against base Heimdal (1.88 KB, patch) 2025-04-03 16:53 UTC, Mikhail Teterin	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Teterin freebsd_committer

2024-06-27 23:26:58 UTC

Trying to use the port (via the py-pyspnego), I get this error at the initialization:

  File "/usr/local/lib/python3.11/site-packages/spnego/auth.py", line 84, in _new_context
    return proxy(
           ^^^^^^
  File "/usr/local/lib/python3.11/site-packages/spnego/_gss.py", line 351, in __init__
    raise ImportError("GSSAPIProxy requires the Python gssapi library: %s" % GSSAPI_IMP_ERR)
ImportError: GSSAPIProxy requires the Python gssapi library: /usr/local/lib/python3.11/site-packages/krb5/_creds.cpython-311.so: Undefined symbol "krb5_init_creds_free"

The cited _creds.cpython-311.so is linked with the base -lkrb5, according to ldd, so it should work. However, grep-ping the /usr/lib/libkrb5.so.11 for the name, I do not find it.

It is, however, present in both the static /usr/lib/libkrb5.a.

Moreover, I also see it in the intermediate /usr/obj/usr/i386.i386/tmp/usr/lib/debug/usr/lib/libkrb5.so.11.debug -- as a "local text symbol":

00047ea0 t krb5_init_creds_free

so it emitted during `make buildworld` -- but, I guess, stripped away during "installworld".

Whatever the root-cause, the port is not currently usable, unfortunately.

Comment 1 Mikhail Teterin freebsd_committer

2025-03-25 16:35:53 UTC

Upgraded the module from 0.5.1_1 to 0.7.1 today -- the problem is still here...

Comment 2 commit-hook freebsd_committer

2025-03-26 14:00:59 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=d5c804138845a1c8d81fbbce48de676806de32e6

commit d5c804138845a1c8d81fbbce48de676806de32e6
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2025-03-26 13:43:54 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2025-03-26 13:59:24 +0000

    heimdal: Add missing symbols to map

    Patch supplied by mi@ through a private email.

    Bump __FreeBSD_version for ports that might need this.

    PR:             280025
    MFC after       1 week

 crypto/heimdal/lib/krb5/version-script.map | 22 ++++++++++++++++++++++
 sys/sys/param.h                            |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)

Comment 3 Mikhail Teterin freebsd_committer

2025-04-01 17:07:05 UTC

Created attachment 259247 [details]
Work with newer Python-versions

There is another problem with the code due to the newer Python-versions. I reported it upstream: https://github.com/jborean93/pykrb5/issues/64

This patch addresses that and also prevents extraction of the bundled Heimdal headers -- and subsequent patching of same.

Comment 4 Mikhail Teterin freebsd_committer

2025-04-03 16:53:20 UTC

Created attachment 259299 [details]
Only disable ignore_realm, when building against base Heimdal

Both the newer Heimdal and MIT Kerberos provide the ignore-realm functionality, there is no need to disable the feature, unless building against the base Heimdal.