Bug 156245 - [heimdal] [patch] heimdal 1.1 broken in 8-stable and 8-release as far as gssapi_krb5 is concerned
Summary: [heimdal] [patch] heimdal 1.1 broken in 8-stable and 8-release as far as gssa...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: unspecified
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on: 193575
Blocks:
  Show dependency treegraph
 
Reported: 2011-04-07 11:40 UTC by George Mamalakis
Modified: 2014-09-12 17:08 UTC (History)
4 users (show)

See Also:


Attachments
file.diff (405 bytes, patch)
2011-04-07 11:40 UTC, George Mamalakis
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description George Mamalakis 2011-04-07 11:40:10 UTC
I installed mod_auth_kerb2 on my FreeBSD 8.2-STABLE machine and tried to use it. After the installation (which was successful(?!?)), the server refused to start and reported the following error:

# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity"
Starting apache22.
httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity"
/usr/local/etc/rc.d/apache22: WARNING: failed to start apache22

while ldd showed:

# ldd /usr/local/libexec/apache22/mod_auth_kerb.so
/usr/local/libexec/apache22/mod_auth_kerb.so:
    libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000)
    libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000)
    libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000)
    libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000)
    libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000)
    libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000)
    libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000)
    libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000)
    libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000)
    libc.so.7 => /lib/libc.so.7 (0x800647000)

which showed that everything should have been fine. I googled it a bit and found this thread regarding my error message: http://forum.nginx.org/read.php?23,88476 , which started on May 2010, and pointed to this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, and that it should be fixed at some moment in the future. (I tested mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) and I had exactly the same problem).

I searched to find where this notorious function (gsskrb5_register_acceptor_identity) was located, and I found its declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition in: /usr/lib/libgssapi_krb5.so.

So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since this where the location of gsskrb5_register_acceptor_identity originally seemed to be, and reinstalled the port using gmake this time (inside the port's work directory). After that, the module works just fine. The initial content of this line was:

KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt

I've contacted the maintainers of the port, and confirmed the bug. They stated that the problem is related to /usr/bin/krb5-config, which fails to advertise gssapi_krb5 among its libraries. They also suggested me to send this PR along with the following patch. 

If that line changes in /usr/bin/krb5-config, and the port is recompiled, then everything works as should.

Fix: Change line 96 of /usr/bin/krb5-config to read:
lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"

or change the work-dir's Makefile of www/mod_auth_krb5 port to include gssapi_krb5 (line 3), so the changed line should read:

KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt

Patch attached with submission follows:
How-To-Repeat: Install www/apache22 and subsequently www/mod_auth_krb5. Then try to start apache, and it will fail.
Comment 1 George Mamalakis 2012-10-19 08:51:06 UTC
This problem still holds for versions: 8.3-RELEASE, 9.1-RC1 and 9.1-RC2. 
The provided patch still fixes this.

-- 
George Mamalakis

IT and Security Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)

Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki

phone number : +30 (2310) 994379
Comment 2 Glen Barber freebsd_committer 2014-08-22 14:45:38 UTC
stas@, you did the last update to crypto/heimdal/tools/krb5-config.in - can you take a look at this bug report?
Comment 3 Glen Barber freebsd_committer 2014-09-05 01:03:28 UTC
Since this is 14 days since pinging stas@ without a reply, I will commit the fix to head/ in 24 hours.

Afterwards, I will prepare a stable/10 update for portmgr@ to do an exp-run against, and pending the fallout, will decide if this change will be a candidate to make it to 10.1-RELEASE.
Comment 4 commit-hook freebsd_committer 2014-09-08 19:00:33 UTC
A commit references this bug:

Author: gjb
Date: Mon Sep  8 19:00:14 UTC 2014
New revision: 271284
URL: http://svnweb.freebsd.org/changeset/base/271284

Log:
  Include the gssapi_krb5 library in KRB5_LDFLAGS.

  PR:		156245
  MFC after:	3 days
  Sponsored by:	The FreeBSD Foundation

Changes:
  head/crypto/heimdal/tools/krb5-config.in
Comment 5 commit-hook freebsd_committer 2014-09-12 17:07:07 UTC
A commit references this bug:

Author: gjb
Date: Fri Sep 12 17:06:55 UTC 2014
New revision: 271473
URL: http://svnweb.freebsd.org/changeset/base/271473

Log:
  MFC r271284:
    Include the gssapi_krb5 library in KRB5_LDFLAGS.

  PR:		156245
  Approved by:	re (marius)
  Sponsored by:	The FreeBSD Foundation

Changes:
_U  stable/10/
  stable/10/crypto/heimdal/tools/krb5-config.in
Comment 6 commit-hook freebsd_committer 2014-09-12 17:08:09 UTC
A commit references this bug:

Author: gjb
Date: Fri Sep 12 17:07:19 UTC 2014
New revision: 271474
URL: http://svnweb.freebsd.org/changeset/base/271474

Log:
  MFC r271284:
    Include the gssapi_krb5 library in KRB5_LDFLAGS.

  PR:		156245
  Sponsored by:	The FreeBSD Foundation

Changes:
_U  stable/9/crypto/heimdal/
  stable/9/crypto/heimdal/tools/krb5-config.in