Bug 197482

Summary: www/mod_auth_kerb2: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity"
Product: Ports & Packages Reporter: Helmut Ritter <FreeBSD-Bugzilla>
Component: Individual Port(s)Assignee: freebsd-apache (Nobody) <apache>
Status: Closed Overcome By Events    
Severity: Affects Only Me CC: apache, freebsd-ports, freebsd, joneum, michael.osipov, w.schwarzenfeld
Priority: --- Keywords: needs-patch, needs-qa
Version: LatestFlags: koobs: maintainer-feedback? (apache)
Hardware: Any   
OS: Any   

Description Helmut Ritter 2015-02-09 14:35:09 UTC 
After Upgrading 'ap22-mod_auth_kerb2-5.4_6' to 'ap22-mod_auth_kerb2-5.4_7' I get that error.

[helmut@BSDHelmut ~]$ uname -a
FreeBSD BSDHelmut.charlieroot.de 9.3-RELEASE-p8 FreeBSD 9.3-RELEASE-p8 #0 r277262: Sat Jan 17 03:02:31 CET 2015     root@BSDHelmut.charlieroot.de:/usr/obj/usr/src/sys/GENERIC-PF-ALTQ  amd64
[helmut@BSDHelmut ~]$ pkg info apache*
apache22-2.2.29_2
[helmut@BSDHelmut ~]$

[helmut@BSDHelmut ~]$ sudo portupgrade ap22-mod_auth_kerb2-5.4_6
[Reading data from pkg(8) ... - 395 packages found - done]
--->  Upgrading 'ap22-mod_auth_kerb2-5.4_6' to 'ap22-mod_auth_kerb2-5.4_7' (www/mod_auth_kerb2)
--->  Building '/usr/ports/www/mod_auth_kerb2'
===>  Cleaning for ap22-mod_auth_kerb2-5.4_7


           lqqqqqqqqqqqqqqqqqqqqqqqq ap22-mod_auth_kerb2-5.4_7 qqqqqqqqqqqqqqqqqqqqqqqqqqqk
           x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
           x x+(*) GSSAPI_BASE     Use Base version of GSS API                          x x
           x x+( ) GSSAPI_HEIMDAL  Use Heimdal implementation of GSS API                x x
           x x+( ) GSSAPI_MIT      Use MIT implementation of GSS API                    x x
           x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
           tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
           x                       <  OK  >            <Cancel>                           x
           mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


===> Options unchanged
===>  License MIT BSD3CLAUSE accepted by the user
===>   ap22-mod_auth_kerb2-5.4_7 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by ap22-mod_auth_kerb2-5.4_7 for building
===>  Extracting for ap22-mod_auth_kerb2-5.4_7
=> SHA256 Checksum OK for mod_auth_kerb-5.4.tar.gz.
===>  Patching for ap22-mod_auth_kerb2-5.4_7
===>  Applying FreeBSD patches for ap22-mod_auth_kerb2-5.4_7
===>   ap22-mod_auth_kerb2-5.4_7 depends on file: /usr/local/sbin/apxs - found
===>  Configuring for ap22-mod_auth_kerb2-5.4_7
configure: loading site script /usr/ports/Templates/config.site
checking for gcc... cc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking whether make sets $(MAKE)... yes
checking for main in -lresolv... no
checking how to run the C preprocessor... cpp
checking for grep that handles long lines and -e... (cached) /usr/bin/grep
checking for egrep... (cached) /usr/bin/egrep
checking for ANSI C header files... (cached) yes
checking for sys/types.h... (cached) yes
checking for sys/stat.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for memory.h... (cached) yes
checking for strings.h... (cached) yes
checking for inttypes.h... (cached) yes
checking for stdint.h... (cached) yes
checking for unistd.h... (cached) yes
checking for limits.h... (cached) yes
checking for netdb.h... (cached) yes
checking for stddef.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking for unistd.h... (cached) yes
checking for size_t... (cached) yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking gssapi.h usability... yes
checking gssapi.h presence... yes
checking for gssapi.h... yes
checking for krb5_init_context in -lkrb5... yes
checking for krb5_cc_new_unique in -lkrb5... yes
checking whether we are using Heimdal... yes
checking whether the GSSAPI libraries support SPNEGO... yes
checking for apxs... /usr/local/sbin/apxs
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
===>  Building for ap22-mod_auth_kerb2-5.4_7
./apxs.sh "-I. -Ispnegokrb5 -I/usr/include  " "-L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt  " "" "/usr/local/sbin/apxs" "-c" "src/mod_auth_kerb.c"
/usr/local/share/apr/build-1/libtool --silent --mode=compile cc -prefer-pic -O2 -pipe -I/usr/include -fno-strict-aliasing   -I/usr/local/include -I/usr/local/include/apache22  -I/usr/local/include/apr-1   -I/usr/local/include/apr-1 -I/usr/include -I/usr/local/include -I/usr/local/include/db5 -I. -Ispnegokrb5 -I/usr/include  -c -o src/mod_auth_kerb.lo src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo
/usr/local/share/apr/build-1/libtool --silent --mode=link cc -o src/mod_auth_kerb.la -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt  -rpath /usr/local/libexec/apache22 -module -avoid-version    src/mod_auth_kerb.lo
===>  Staging for ap22-mod_auth_kerb2-5.4_7
===>   ap22-mod_auth_kerb2-5.4_7 depends on file: /usr/local/sbin/apxs - found
===>   Generating temporary packing list
mkdir -p "/usr/ports/www/mod_auth_kerb2/work/stage$(/usr/local/sbin/apxs -q libexecdir)"
/usr/local/sbin/apxs -S LIBEXECDIR="/usr/ports/www/mod_auth_kerb2/work/stage$(/usr/local/sbin/apxs -q libexecdir)"  -i -n auth_kerb src/mod_auth_kerb.la
/usr/local/share/apache22/build/instdso.sh SH_LIBTOOL='/usr/local/share/apr/build-1/libtool' src/mod_auth_kerb.la /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22
/usr/local/share/apr/build-1/libtool --mode=install cp src/mod_auth_kerb.la /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22/
libtool: install: cp src/.libs/mod_auth_kerb.so /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22/mod_auth_kerb.so
libtool: install: cp src/.libs/mod_auth_kerb.lai /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22/mod_auth_kerb.la
libtool: install: cp src/.libs/mod_auth_kerb.a /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22/mod_auth_kerb.a
libtool: install: chmod 644 /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22/mod_auth_kerb.a
libtool: install: ranlib /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22/mod_auth_kerb.a
libtool: install: warning: remember to run `libtool --finish /usr/local/libexec/apache22'
chmod 755 /usr/ports/www/mod_auth_kerb2/work/stage/usr/local/libexec/apache22/mod_auth_kerb.so
====> Compressing man pages (compress-man)
--->  Backing up the old version
--->  Uninstalling the old version
[Reading data from pkg(8) ... - 395 packages found - done]
--->  Deinstalling 'ap22-mod_auth_kerb2-5.4_6'
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        ap22-mod_auth_kerb2-5.4_6

The operation will free 36 KiB.
[1/1] Deinstalling ap22-mod_auth_kerb2-5.4_6...
[preparing module `auth_kerb' in /usr/local/etc/apache22/httpd.conf]
[1/1] Deleting files for ap22-mod_auth_kerb2-5.4_6: 100%
[Reading data from pkg(8) ... - 394 packages found - done]
--->  Installing the new version via the port


           lqqqqqqqqqqqqqqqqqqqqqqqq ap22-mod_auth_kerb2-5.4_7 qqqqqqqqqqqqqqqqqqqqqqqqqqqk
           x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
           x x+(*) GSSAPI_BASE     Use Base version of GSS API                          x x
           x x+( ) GSSAPI_HEIMDAL  Use Heimdal implementation of GSS API                x x
           x x+( ) GSSAPI_MIT      Use MIT implementation of GSS API                    x x
           x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
           tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
           x                       <  OK  >            <Cancel>                           x
           mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj


===> Options unchanged
===>  Installing for ap22-mod_auth_kerb2-5.4_7
===>   ap22-mod_auth_kerb2-5.4_7 depends on file: /usr/local/sbin/apxs - found
===>   Registering installation for ap22-mod_auth_kerb2-5.4_7
Installing ap22-mod_auth_kerb2-5.4_7...
[activating module `auth_kerb' in /usr/local/etc/apache22/httpd.conf]
===>  Cleaning for ap22-mod_auth_kerb2-5.4_7
--->  Cleaning out obsolete shared libraries
[helmut@BSDHelmut ~]$ apachectl configtest
Performing sanity check on apache22 configuration:
httpd: Syntax error on line 13 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity"
[helmut@BSDHelmut ~]$
Comment 1 Antoine Brodin freebsd_committer freebsd_triage 2015-02-09 14:55:47 UTC 
Please don't assign bugs related to individual leaf ports to portmgr,  thanks.
Comment 2 Helmut Ritter 2015-02-09 21:26:41 UTC 
(In reply to Antoine Brodin from comment #1)

Pardon me, what is an "individual leaf port"?
Comment 3 Kubilay Kocak freebsd_committer freebsd_triage 2015-02-11 08:06:15 UTC 
Helmut, this issue was incorrectly created with categories:

'Ports and Packages' / 'Package Infrastructure'

It should have been created in:

'Ports and Packages' / 'Individual Port(s)'

Antoine was referring to this --^
Comment 4 Helmut Ritter 2015-02-11 14:35:58 UTC 
Thanks for explanation. I hope porttools will support 'submit' again soon, this would help me a lot to avoid such mistakes. :)
Comment 5 Dan Mahoney 2015-03-16 23:21:45 UTC 
Okay, so I've found the issue here, by looking back at old mailing list posts.

FreeBSD uses a somewhat modified heimdal kerberos in base.

Kerberos comes with a tool that tells compilers how to build kerberos-using libraries and programs.  When FreeBSD modifies kerberos, they don't update the tool correctly.

Ergo, the very simple one-line patch to this utility mentioned here in 2011, fixes it:

https://lists.freebsd.org/pipermail/freebsd-apache/2011-April/002207.html

So, on the solution -- It doesn't look like this was fixed in 8.x, at least according to the dates on:

http://svnweb.freebsd.org/base/stable/8/kerberos5/

Further, on my 8.x machine, the official package for this port is also broken in the exact same way -- this doesn't get caught because it's a runtime failure, not a build-time one.

Whomever maintains this port should probably add ifdefines to get around this, but the port *really should* be able to trust krb5-config.

Your best bet is to manually patch that one file, and rebuild.  This won't fix the OSes, but at least it'll unstick you.

-Dan Mahoney
Comment 6 Helmut Ritter 2015-03-19 13:07:27 UTC 
I confirm that the changes in krb5-config fixes the issue.
Comment 7 Dan Mahoney 2015-03-19 17:30:53 UTC 
I've suggested a patch to -base in bug 198645.

-Dan
Comment 8 Michael Osipov 2017-04-20 08:56:50 UTC 
Everyone is advised to rather use https://github.com/modauthgssapi/mod_auth_gssapi. Port is available. High quality, not symbol issues.
Comment 9 Walter Schwarzenfeld freebsd_triage 2018-01-10 03:22:59 UTC 
9.3 RELEASE is gone. I think this is overcome by events.