Bug 226261 - www/mod_auth_kerb2 fails at runtime causing apache to fail to start (11.1R)
Summary: www/mod_auth_kerb2 fails at runtime causing apache to fail to start (11.1R)
Status: Closed Feedback Timeout
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-apache (Nobody)
URL:
Keywords:
Depends on: 226647 226705
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-28 13:41 UTC by rocky
Modified: 2018-04-28 17:28 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (apache)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description rocky 2018-02-28 13:41:13 UTC 
This issue has come up in other bug reports but this has failed on 11.1-RELEASE. mod_auth_kerb2 builds and install ok, but fails at runtime causing apache to fail to start.

httpd: Syntax error on line 169 of /usr/local/etc/apache24/httpd.conf: Cannot load libexec/apache24/mod_auth_kerb.so into server: /usr/local/libexec/apache24/mod_auth_kerb.so: Undefined symbol "krb5_rc_dfl_init"

ldd /usr/local/libexec/apache24/mod_auth_kerb.so
/usr/local/libexec/apache24/mod_auth_kerb.so:
    libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x801208000)
    libkrb5.so.11 => /usr/lib/libkrb5.so.11 (0x801427000)
    libk5crypto.so.3.1 => /usr/local/lib/libk5crypto.so.3.1 (0x8016a5000)
    libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8018d9000)
    libc.so.7 => /lib/libc.so.7 (0x800824000)
    libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x801adb000)
    libcrypto.so.8 => /lib/libcrypto.so.8 (0x801e00000)
    libroken.so.11 => /usr/lib/libroken.so.11 (0x802269000)
    libasn1.so.11 => /usr/lib/libasn1.so.11 (0x80247c000)
    libcrypt.so.5 => /lib/libcrypt.so.5 (0x80271e000)
    libhx509.so.11 => /usr/lib/libhx509.so.11 (0x80293d000)
    libwind.so.11 => /usr/lib/libwind.so.11 (0x802b8a000)
    libheimbase.so.11 => /usr/lib/libheimbase.so.11 (0x802db2000)
    libprivateheimipcc.so.11 => /usr/lib/libprivateheimipcc.so.11 (0x802fb6000)
    libkrb5support.so.0.1 => /usr/local/lib/libkrb5support.so.0.1 (0x8031b8000)
    libintl.so.8 => /usr/local/lib/libintl.so.8 (0x8033c6000)
    libthr.so.3 => /lib/libthr.so.3 (0x8035d1000)

readelf -Ws /usr/local/lib/libkrb5.so | grep krb5_rc_dfl_init
  1422: 000000000007c7b0   234 FUNC    GLOBAL DEFAULT   11 krb5_rc_dfl_init

readelf -Ws /usr/lib/libkrb5.so | grep krb5_rc_dfl_init

make debug-krb shows everything works as expected in the ports framework:

cc -O2 -pipe  -fstack-protector -fno-strict-aliasing -o /tmp/debug-krb.x -I"/usr/local/include"  -lkrb5 -lgssapi_krb5 -L"/usr/local/lib" -Wl,-rpath,/usr/local/lib  /tmp/debug-krb.c &&  ldd /tmp/debug-krb.x;  /bin/rm -f /tmp/debug-krb.x
/tmp/debug-krb.x:
    libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0x800822000)
    libgssapi_krb5.so.2.2 => /usr/local/lib/libgssapi_krb5.so.2.2 (0x800b08000)
    libc.so.7 => /lib/libc.so.7 (0x800d50000)
    libk5crypto.so.3.1 => /usr/local/lib/libk5crypto.so.3.1 (0x801108000)
    libcom_err.so.3.0 => /usr/local/lib/libcom_err.so.3.0 (0x80133c000)
    libkrb5support.so.0.1 => /usr/local/lib/libkrb5support.so.0.1 (0x80153f000)
    libintl.so.8 => /usr/local/lib/libintl.so.8 (0x80174d000)
PREFIX: /usr/local
GSSAPIBASEDIR: /usr/local
GSSAPIINCDIR: /usr/local/include
GSSAPILIBDIR: /usr/local/lib
GSSAPILIBS: -lkrb5 -lgssapi_krb5
GSSAPICPPFLAGS: -I/usr/local/include
GSSAPILDFLAGS: -L/usr/local/lib
GSSAPI_CONFIGURE_ARGS: CFLAGS=-I/usr/local/include -O2 -pipe -fstack-protector -fno-strict-aliasing  LDFLAGS=-L/usr/local/lib -Wl,-rpath,/usr/local/lib:/usr/lib -fstack-protector LIBS=-lkrb5 -lgssapi_krb5 KRB5CONFIG=/usr/local/bin/krb5-config
KRB5CONFIG: /usr/local/bin/krb5-config
CFLAGS: -O2 -pipe  -fstack-protector -fno-strict-aliasing
LDFLAGS:  -Wl,-rpath,/usr/local/lib:/usr/lib -fstack-protector
LDADD: 

Looking through the commands used (little though there is) shows libtool needs -L/usr/local/lib before -o src/mod_auth_kerb.la.

Seeing as apxs actually runs libtool, apxs needs to be told to pass this info along.

apxs -q reveals LDFLAGS=-L/usr/lib -fstack-protector

This is builtin when apxs is compiled - which may vary from system to system (which probably explains the hit and miss of functionality).

To override this variable apxs needs to be passed:
apxs -S LDFLAGS=-L/usr/local/lib 

So, in order to resolve this issue, line 16 on the work/ Makefile ./apxs.sh arg 4 needs to adjusted to "-S LDFLAGS=-L/usr/local/lib -c".

No patch is supplied here due to concern with the loss of the the other components of LDFLAGS in apxs (couldn't prepend the -L/usr/local/lib to the other arguments - _needs to be first_), and that this needs to probably reflect say GSSAPIBASEDIR or KRB5_HOME or something, but this works:

ldd work/stage/usr/local/libexec/apache24/mod_auth_kerb.so 
work/stage/usr/local/libexec/apache24/mod_auth_kerb.so:
	libgssapi_krb5.so.2.2 => /usr/local/lib/libgssapi_krb5.so.2.2 (0x801208000)
	libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0x801450000)
	libk5crypto.so.3.1 => /usr/local/lib/libk5crypto.so.3.1 (0x801736000)
	libcom_err.so.3.0 => /usr/local/lib/libcom_err.so.3.0 (0x80196a000)
	libc.so.7 => /lib/libc.so.7 (0x800824000)
	libkrb5support.so.0.1 => /usr/local/lib/libkrb5support.so.0.1 (0x801b6d000)
	libintl.so.8 => /usr/local/lib/libintl.so.8 (0x801d7b000)

service apache24 restart
Performing sanity check on apache24 configuration:
AH00548: NameVirtualHost has no effect and will be removed in the next release /usr/local/etc/apache24/extra/httpd-vhosts.conf:25
Syntax OK
Stopping apache24.
Waiting for PIDS: 20506.
Performing sanity check on apache24 configuration:
AH00548: NameVirtualHost has no effect and will be removed in the next release /usr/local/etc/apache24/extra/httpd-vhosts.conf:25
Syntax OK
Starting apache24.
AH00548: NameVirtualHost has no effect and will be removed in the next release /usr/local/etc/apache24/extra/httpd-vhosts.conf:25
Comment 1 Matthias Petermann 2018-03-18 05:54:00 UTC 
Hello, I am experiencing the same issue on a FreeBSD 10.4 system. I tried to apply the drafted workaround described below, but failed. Could you please provide details about:

 - which of the three build options (make config) you did use? GSSAPI_BASE, GSSAPI_HEIMDAL or GSSAPI_MIT?
 - what exactly was the change you applied?

Line 16 of Makefile.in looks to me:

        ./apxs.sh "${CPPFLAGS}" "${LDFLAGS}" "${SPNEGO_SRCS}" "${APXS}" "-c" "src/mod_auth_kerb.c"

and I tried to apply the "-S LDFLAGS=-L/usr/local/lib -c" to arg 4 as described. 

Kind regards,
Matthias
Comment 2 Bernard Spil freebsd_committer freebsd_triage 2018-03-18 19:19:00 UTC 
Looking at Rocky's output I guess this is a similar issue to mixing base and ports OpenSSL providers.

Can you please test the patch in bug 226705 and report back if that works?
Comment 3 Bernard Spil freebsd_committer freebsd_triage 2018-03-18 19:20:37 UTC 
Additionally 2.4.33 is to be release in a few days. You may also want to test the patch from bug #226647
Comment 4 rocky 2018-03-19 00:12:24 UTC 
(In reply to Matthias Petermann from comment #1)
Sorry, I should have made this clear in the original report: this is only a fix for MIT Kerberos, not heimdal.

Heimdal has another issue entirely, which I can't work on as I have MIT already installed and working. Heimdal also has a different symbol that is missing too, so not sure what the fault is.
Comment 5 Matthias Petermann 2018-03-19 08:41:29 UTC 
Hello, thanks for responding. I just rebuilt apr1 with the suggested patch, as well as mod_auth_kerb2, using the Base version of GSSAPI. Apache is still not able to load the module, printing out:

httpd: Syntax error on line 182 of /usr/local/etc/apache24/httpd.conf: Cannot load libexec/apache24/mod_auth_kerb.so into server: /usr/local/libexec/apache24/mod_auth_kerb.so: Undefined symbol "length_enumerated"

Best regards,
Matthias
Comment 6 Bernard Spil freebsd_committer freebsd_triage 2018-03-19 16:52:34 UTC 
You do have to rebuild apache as well. Problem lies in Apache building with -L/usr/lib but had to be solved in apr1 as that was the reason apache used /usr/lib
Comment 7 Bernard Spil freebsd_committer freebsd_triage 2018-03-27 13:27:33 UTC 
Hi Rocky,

Can you confirm that the recent devel/apr1 and www/apache24 commits fix your issue?

Cheers, Bernard