The port defaults to installing into ${LOCALBASE} MIT Kerberos in spite of presence of Heimdal in the base system. In spite of this, however, Heimdal support does not work. Fix: Heimdal has an existing API for performing the function that this plugin is attempting (that is, changing the location of the keytab to allow for least privilege for the service). Using it thusly makes things work for me: I plan to send this PR over to the mod_auth_kerb guys in order to get it into the standard distribution. A smaller issue is the inaccurate description in the port. It makes no mention of SPNEGO ("HTTP Negotiate"/GSSAPI/Kerberos 5 authentication), and refers to a www/<host>@<REALM> principal whereas the canonical principal, and the default, is actually HTTP/<host>@<REALM>. I could attempt a rewrite of this...--wwVX804JMf539ipoBaltR9N2u928JoZ2Lde2WS2w8myGSbGf Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" --- src/mod_auth_kerb.c.orig Tue Aug 10 08:01:01 2004 +++ src/mod_auth_kerb.c Wed Oct 5 20:25:38 2005 @@ -1108,6 +1108,7 @@ spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02"; if (conf->krb_5_keytab) { +#ifndef HEIMDAL char *ktname; /* we don't use the ap_* calls here, since the string passed to putenv() * will become part of the enviroment and shouldn't be free()ed by apache @@ -1120,6 +1121,14 @@ } sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab); putenv(ktname); +#else + ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab); + if (ret) { + log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno)); + ret = HTTP_INTERNAL_SERVER_ERROR; + goto end; + } +#endif } ret = get_gss_creds(r, conf, &server_creds); How-To-Repeat: make KRB5_HOME=/usr install, then attempt SPNEGO authentication (not krb5 password gatewaying, which the pam_krb5 module could do perfectly well anyway) with a keytab not /etc/krb5.keytab (specified by Krb5Keytab in the httpd.conf). The directive appears to be ignored, as an error referring to "FILE:/etc/krb5.keytab" is returned upon attempting the authentication using Mozilla.
These changes fix a lot of the other problems -- letting you select between base versus port Kerberos 5, making the description more sane, fixing the plist for apache2 and passing portlint -C. Index: Makefile =================================================================== RCS file: /export/ncvs/ports/www/mod_auth_kerb/Makefile,v retrieving revision 1.12 diff -u -r1.12 Makefile --- Makefile 1 Aug 2005 09:28:29 -0000 1.12 +++ Makefile 6 Oct 2005 17:22:45 -0000 @@ -9,10 +9,12 @@ PORTNAME= mod_auth_kerb PORTVERSION= 5.0.r6 -DISTNAME= mod_auth_kerb-5.0-rc6 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR=modauthkerb +DISTNAME= mod_auth_kerb-5.0-rc6 + MAINTAINER= apache@FreeBSD.org COMMENT= An Apache module for authenticating users with Kerberos v5 @@ -22,16 +24,31 @@ # (i.e., HTTP over SSL/TLS). Thus, we require as a dependency # a version of Apache which can do this. # -LIB_DEPENDS= krb5.3:${PORTSDIR}/security/krb5 - USE_APACHE= yes - -KRB5_HOME?= ${LOCALBASE} - # Don't fsck with CFLAGS CFLAGS:= - GNU_CONFIGURE= yes CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} --without-krb4 +OPTIONS+= BASE_KERBEROS5 "Use the base Kerberos 5 (Heimdal)" +.if exists(/usr/lib/libkrb5.so) +OPTIONS+= on +.else +OPTIONS+= off +.endif + +.include <bsd.port.pre.mk> + +.if exists(${PREFIX}/sbin/apxs) +APACHE_MODULE_DIR!=${PREFIX}/sbin/apxs -q LIBEXECDIR +.else +APACHE_MODULE_DIR=libexec/apache +.endif +PLIST_SUB+= APMODDIR=${APACHE_MODULE_DIR:S/^${PREFIX}\///} +.if defined(WITH_BASE_KERBEROS5) +KRB5_HOME= /usr +.else +LIB_DEPENDS+= krb5.3:${PORTSDIR}/security/krb5 +KRB5_HOME= ${LOCALBASE} +.endif -- Brian Fundakowski Feldman \'[ FreeBSD ]''''''''''\ <> green@FreeBSD.org \ The Power to Serve! \ Opinions expressed are my own. \,,,,,,,,,,,,,,,,,,,,,,\
Responsible Changed From-To: freebsd-ports-bugs->apache Assign to the maintainer (apache@).
State Changed From-To: open->closed Committed by myself.