Bug 86963

Summary: mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal
Product: Ports & Packages Reporter: Brian Feldman <green>
Component: Individual Port(s)Assignee: freebsd-apache (Nobody) <apache>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Brian Feldman freebsd_committer freebsd_triage 2005-10-06 02:40:18 UTC 
	The port defaults to installing into ${LOCALBASE} MIT Kerberos
	in spite of presence of Heimdal in the base system.  In spite
	of this, however, Heimdal support does not work.

Fix: Heimdal has an existing API for performing the function that
	this plugin is attempting (that is, changing the location
	of the keytab to allow for least privilege for the service).
	Using it thusly makes things work for me:



I plan to send this PR over to the mod_auth_kerb guys in order to
	get it into the standard distribution.

	A smaller issue is the inaccurate description in the port.
	It makes no mention of SPNEGO ("HTTP Negotiate"/GSSAPI/Kerberos 5
	authentication), and refers to a www/<host>@<REALM> principal
	whereas the canonical principal, and the default, is actually
	HTTP/<host>@<REALM>.  I could attempt a rewrite of this...--wwVX804JMf539ipoBaltR9N2u928JoZ2Lde2WS2w8myGSbGf
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- src/mod_auth_kerb.c.orig	Tue Aug 10 08:01:01 2004
+++ src/mod_auth_kerb.c	Wed Oct  5 20:25:38 2005
@@ -1108,6 +1108,7 @@
   spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
 
   if (conf->krb_5_keytab) {
+#ifndef HEIMDAL
      char *ktname;
      /* we don't use the ap_* calls here, since the string passed to putenv()
       * will become part of the enviroment and shouldn't be free()ed by apache
@@ -1120,6 +1121,14 @@
      }
      sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
      putenv(ktname);
+#else
+     ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+     if (ret) {
+	log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno));
+	ret = HTTP_INTERNAL_SERVER_ERROR;
+	goto end;
+     }
+#endif
   }
 
   ret = get_gss_creds(r, conf, &server_creds);
How-To-Repeat: 	make KRB5_HOME=/usr install, then attempt SPNEGO authentication
	(not krb5 password gatewaying, which the pam_krb5 module could
	do perfectly well anyway) with a keytab not /etc/krb5.keytab
	(specified by Krb5Keytab in the httpd.conf).  The directive
	appears to be ignored, as an error referring to
	"FILE:/etc/krb5.keytab" is returned upon attempting the
	authentication using Mozilla.
Comment 1 Brian Feldman freebsd_committer freebsd_triage 2005-10-06 18:25:36 UTC 
These changes fix a lot of the other problems -- letting you select
between base versus port Kerberos 5, making the description more
sane, fixing the plist for apache2 and passing portlint -C.

Index: Makefile
===================================================================
RCS file: /export/ncvs/ports/www/mod_auth_kerb/Makefile,v
retrieving revision 1.12
diff -u -r1.12 Makefile
--- Makefile	1 Aug 2005 09:28:29 -0000	1.12
+++ Makefile	6 Oct 2005 17:22:45 -0000
@@ -9,10 +9,12 @@
 
 PORTNAME=	mod_auth_kerb
 PORTVERSION=	5.0.r6
-DISTNAME=	mod_auth_kerb-5.0-rc6
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=modauthkerb
+DISTNAME=	mod_auth_kerb-5.0-rc6
+
 MAINTAINER=	apache@FreeBSD.org
 COMMENT=	An Apache module for authenticating users with Kerberos v5
 
@@ -22,16 +24,31 @@
 # (i.e., HTTP over SSL/TLS).  Thus, we require as a dependency
 # a version of Apache which can do this.
 #
-LIB_DEPENDS=	krb5.3:${PORTSDIR}/security/krb5
-
 USE_APACHE=	yes
-
-KRB5_HOME?=	${LOCALBASE}
-
 # Don't fsck with CFLAGS
 CFLAGS:=
-
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} --without-krb4
+OPTIONS+=	BASE_KERBEROS5	"Use the base Kerberos 5 (Heimdal)"
+.if exists(/usr/lib/libkrb5.so)
+OPTIONS+=	on
+.else
+OPTIONS+=	off
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if exists(${PREFIX}/sbin/apxs)
+APACHE_MODULE_DIR!=${PREFIX}/sbin/apxs -q LIBEXECDIR
+.else
+APACHE_MODULE_DIR=libexec/apache
+.endif
+PLIST_SUB+=	APMODDIR=${APACHE_MODULE_DIR:S/^${PREFIX}\///}
+.if defined(WITH_BASE_KERBEROS5)
+KRB5_HOME=	/usr
+.else
+LIB_DEPENDS+=	krb5.3:${PORTSDIR}/security/krb5
+KRB5_HOME=	${LOCALBASE}
+.endif
 


-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\
Comment 2 Brian Feldman freebsd_committer freebsd_triage 2005-10-06 18:25:36 UTC 
These changes fix a lot of the other problems -- letting you select
between base versus port Kerberos 5, making the description more
sane, fixing the plist for apache2 and passing portlint -C.

Index: Makefile
===================================================================
RCS file: /export/ncvs/ports/www/mod_auth_kerb/Makefile,v
retrieving revision 1.12
diff -u -r1.12 Makefile
--- Makefile	1 Aug 2005 09:28:29 -0000	1.12
+++ Makefile	6 Oct 2005 17:22:45 -0000
@@ -9,10 +9,12 @@
 
 PORTNAME=	mod_auth_kerb
 PORTVERSION=	5.0.r6
-DISTNAME=	mod_auth_kerb-5.0-rc6
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=modauthkerb
+DISTNAME=	mod_auth_kerb-5.0-rc6
+
 MAINTAINER=	apache@FreeBSD.org
 COMMENT=	An Apache module for authenticating users with Kerberos v5
 
@@ -22,16 +24,31 @@
 # (i.e., HTTP over SSL/TLS).  Thus, we require as a dependency
 # a version of Apache which can do this.
 #
-LIB_DEPENDS=	krb5.3:${PORTSDIR}/security/krb5
-
 USE_APACHE=	yes
-
-KRB5_HOME?=	${LOCALBASE}
-
 # Don't fsck with CFLAGS
 CFLAGS:=
-
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} --without-krb4
+OPTIONS+=	BASE_KERBEROS5	"Use the base Kerberos 5 (Heimdal)"
+.if exists(/usr/lib/libkrb5.so)
+OPTIONS+=	on
+.else
+OPTIONS+=	off
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if exists(${PREFIX}/sbin/apxs)
+APACHE_MODULE_DIR!=${PREFIX}/sbin/apxs -q LIBEXECDIR
+.else
+APACHE_MODULE_DIR=libexec/apache
+.endif
+PLIST_SUB+=	APMODDIR=${APACHE_MODULE_DIR:S/^${PREFIX}\///}
+.if defined(WITH_BASE_KERBEROS5)
+KRB5_HOME=	/usr
+.else
+LIB_DEPENDS+=	krb5.3:${PORTSDIR}/security/krb5
+KRB5_HOME=	${LOCALBASE}
+.endif
 


-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\
Comment 3 Brian Feldman freebsd_committer freebsd_triage 2005-10-06 18:26:19 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->apache

Assign to the maintainer (apache@).
Comment 4 Brian Feldman freebsd_committer freebsd_triage 2005-10-17 18:57:29 UTC 
State Changed
From-To: open->closed

Committed by myself.