I installed mod_auth_kerb2 on my FreeBSD 8.2-STABLE machine and tried to use it. After the installation (which was successful(?!?)), the server refused to start and reported the following error: # /usr/local/etc/rc.d/apache22 start Performing sanity check on apache22 configuration: httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity" Starting apache22. httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity" /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 while ldd showed: # ldd /usr/local/libexec/apache22/mod_auth_kerb.so /usr/local/libexec/apache22/mod_auth_kerb.so: libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) libc.so.7 => /lib/libc.so.7 (0x800647000) which showed that everything should have been fine. I googled it a bit and found this thread regarding my error message: http://forum.nginx.org/read.php?23,88476 , which started on May 2010, and pointed to this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, and that it should be fixed at some moment in the future. (I tested mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) and I had exactly the same problem). I searched to find where this notorious function (gsskrb5_register_acceptor_identity) was located, and I found its declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition in: /usr/lib/libgssapi_krb5.so. So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since this where the location of gsskrb5_register_acceptor_identity originally seemed to be, and reinstalled the port using gmake this time (inside the port's work directory). After that, the module works just fine. The initial content of this line was: KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt I've contacted the maintainers of the port, and confirmed the bug. They stated that the problem is related to /usr/bin/krb5-config, which fails to advertise gssapi_krb5 among its libraries. They also suggested me to send this PR along with the following patch. If that line changes in /usr/bin/krb5-config, and the port is recompiled, then everything works as should. Fix: Change line 96 of /usr/bin/krb5-config to read: lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" or change the work-dir's Makefile of www/mod_auth_krb5 port to include gssapi_krb5 (line 3), so the changed line should read: KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt Patch attached with submission follows: How-To-Repeat: Install www/apache22 and subsequently www/mod_auth_krb5. Then try to start apache, and it will fail.
This problem still holds for versions: 8.3-RELEASE, 9.1-RC1 and 9.1-RC2. The provided patch still fixes this. -- George Mamalakis IT and Security Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379
stas@, you did the last update to crypto/heimdal/tools/krb5-config.in - can you take a look at this bug report?
Since this is 14 days since pinging stas@ without a reply, I will commit the fix to head/ in 24 hours. Afterwards, I will prepare a stable/10 update for portmgr@ to do an exp-run against, and pending the fallout, will decide if this change will be a candidate to make it to 10.1-RELEASE.
A commit references this bug: Author: gjb Date: Mon Sep 8 19:00:14 UTC 2014 New revision: 271284 URL: http://svnweb.freebsd.org/changeset/base/271284 Log: Include the gssapi_krb5 library in KRB5_LDFLAGS. PR: 156245 MFC after: 3 days Sponsored by: The FreeBSD Foundation Changes: head/crypto/heimdal/tools/krb5-config.in
A commit references this bug: Author: gjb Date: Fri Sep 12 17:06:55 UTC 2014 New revision: 271473 URL: http://svnweb.freebsd.org/changeset/base/271473 Log: MFC r271284: Include the gssapi_krb5 library in KRB5_LDFLAGS. PR: 156245 Approved by: re (marius) Sponsored by: The FreeBSD Foundation Changes: _U stable/10/ stable/10/crypto/heimdal/tools/krb5-config.in
A commit references this bug: Author: gjb Date: Fri Sep 12 17:07:19 UTC 2014 New revision: 271474 URL: http://svnweb.freebsd.org/changeset/base/271474 Log: MFC r271284: Include the gssapi_krb5 library in KRB5_LDFLAGS. PR: 156245 Sponsored by: The FreeBSD Foundation Changes: _U stable/9/crypto/heimdal/ stable/9/crypto/heimdal/tools/krb5-config.in