Bug 86963 - mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal
Summary: mod_auth_kerb defaults to installing MIT Kerberos and won't work with Heimdal
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-apache (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-06 02:40 UTC by Brian Feldman
Modified: 2005-10-17 18:57 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Feldman freebsd_committer 2005-10-06 02:40:18 UTC
	The port defaults to installing into ${LOCALBASE} MIT Kerberos
	in spite of presence of Heimdal in the base system.  In spite
	of this, however, Heimdal support does not work.

Fix: Heimdal has an existing API for performing the function that
	this plugin is attempting (that is, changing the location
	of the keytab to allow for least privilege for the service).
	Using it thusly makes things work for me:



I plan to send this PR over to the mod_auth_kerb guys in order to
	get it into the standard distribution.

	A smaller issue is the inaccurate description in the port.
	It makes no mention of SPNEGO ("HTTP Negotiate"/GSSAPI/Kerberos 5
	authentication), and refers to a www/<host>@<REALM> principal
	whereas the canonical principal, and the default, is actually
	HTTP/<host>@<REALM>.  I could attempt a rewrite of this...--wwVX804JMf539ipoBaltR9N2u928JoZ2Lde2WS2w8myGSbGf
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

--- src/mod_auth_kerb.c.orig	Tue Aug 10 08:01:01 2004
+++ src/mod_auth_kerb.c	Wed Oct  5 20:25:38 2005
@@ -1108,6 +1108,7 @@
   spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
 
   if (conf->krb_5_keytab) {
+#ifndef HEIMDAL
      char *ktname;
      /* we don't use the ap_* calls here, since the string passed to putenv()
       * will become part of the enviroment and shouldn't be free()ed by apache
@@ -1120,6 +1121,14 @@
      }
      sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
      putenv(ktname);
+#else
+     ret = gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+     if (ret) {
+	log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Setting KerberosV keytab failed: %s", strerror(errno));
+	ret = HTTP_INTERNAL_SERVER_ERROR;
+	goto end;
+     }
+#endif
   }
 
   ret = get_gss_creds(r, conf, &server_creds);
How-To-Repeat: 	make KRB5_HOME=/usr install, then attempt SPNEGO authentication
	(not krb5 password gatewaying, which the pam_krb5 module could
	do perfectly well anyway) with a keytab not /etc/krb5.keytab
	(specified by Krb5Keytab in the httpd.conf).  The directive
	appears to be ignored, as an error referring to
	"FILE:/etc/krb5.keytab" is returned upon attempting the
	authentication using Mozilla.
Comment 1 Brian Feldman freebsd_committer 2005-10-06 18:25:36 UTC
These changes fix a lot of the other problems -- letting you select
between base versus port Kerberos 5, making the description more
sane, fixing the plist for apache2 and passing portlint -C.

Index: Makefile
===================================================================
RCS file: /export/ncvs/ports/www/mod_auth_kerb/Makefile,v
retrieving revision 1.12
diff -u -r1.12 Makefile
--- Makefile	1 Aug 2005 09:28:29 -0000	1.12
+++ Makefile	6 Oct 2005 17:22:45 -0000
@@ -9,10 +9,12 @@
 
 PORTNAME=	mod_auth_kerb
 PORTVERSION=	5.0.r6
-DISTNAME=	mod_auth_kerb-5.0-rc6
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=modauthkerb
+DISTNAME=	mod_auth_kerb-5.0-rc6
+
 MAINTAINER=	apache@FreeBSD.org
 COMMENT=	An Apache module for authenticating users with Kerberos v5
 
@@ -22,16 +24,31 @@
 # (i.e., HTTP over SSL/TLS).  Thus, we require as a dependency
 # a version of Apache which can do this.
 #
-LIB_DEPENDS=	krb5.3:${PORTSDIR}/security/krb5
-
 USE_APACHE=	yes
-
-KRB5_HOME?=	${LOCALBASE}
-
 # Don't fsck with CFLAGS
 CFLAGS:=
-
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} --without-krb4
+OPTIONS+=	BASE_KERBEROS5	"Use the base Kerberos 5 (Heimdal)"
+.if exists(/usr/lib/libkrb5.so)
+OPTIONS+=	on
+.else
+OPTIONS+=	off
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if exists(${PREFIX}/sbin/apxs)
+APACHE_MODULE_DIR!=${PREFIX}/sbin/apxs -q LIBEXECDIR
+.else
+APACHE_MODULE_DIR=libexec/apache
+.endif
+PLIST_SUB+=	APMODDIR=${APACHE_MODULE_DIR:S/^${PREFIX}\///}
+.if defined(WITH_BASE_KERBEROS5)
+KRB5_HOME=	/usr
+.else
+LIB_DEPENDS+=	krb5.3:${PORTSDIR}/security/krb5
+KRB5_HOME=	${LOCALBASE}
+.endif
 


-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\
Comment 2 Brian Feldman freebsd_committer 2005-10-06 18:25:36 UTC
These changes fix a lot of the other problems -- letting you select
between base versus port Kerberos 5, making the description more
sane, fixing the plist for apache2 and passing portlint -C.

Index: Makefile
===================================================================
RCS file: /export/ncvs/ports/www/mod_auth_kerb/Makefile,v
retrieving revision 1.12
diff -u -r1.12 Makefile
--- Makefile	1 Aug 2005 09:28:29 -0000	1.12
+++ Makefile	6 Oct 2005 17:22:45 -0000
@@ -9,10 +9,12 @@
 
 PORTNAME=	mod_auth_kerb
 PORTVERSION=	5.0.r6
-DISTNAME=	mod_auth_kerb-5.0-rc6
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=modauthkerb
+DISTNAME=	mod_auth_kerb-5.0-rc6
+
 MAINTAINER=	apache@FreeBSD.org
 COMMENT=	An Apache module for authenticating users with Kerberos v5
 
@@ -22,16 +24,31 @@
 # (i.e., HTTP over SSL/TLS).  Thus, we require as a dependency
 # a version of Apache which can do this.
 #
-LIB_DEPENDS=	krb5.3:${PORTSDIR}/security/krb5
-
 USE_APACHE=	yes
-
-KRB5_HOME?=	${LOCALBASE}
-
 # Don't fsck with CFLAGS
 CFLAGS:=
-
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS+=--with-krb5=${KRB5_HOME} --without-krb4
+OPTIONS+=	BASE_KERBEROS5	"Use the base Kerberos 5 (Heimdal)"
+.if exists(/usr/lib/libkrb5.so)
+OPTIONS+=	on
+.else
+OPTIONS+=	off
+.endif
+
+.include <bsd.port.pre.mk>
+
+.if exists(${PREFIX}/sbin/apxs)
+APACHE_MODULE_DIR!=${PREFIX}/sbin/apxs -q LIBEXECDIR
+.else
+APACHE_MODULE_DIR=libexec/apache
+.endif
+PLIST_SUB+=	APMODDIR=${APACHE_MODULE_DIR:S/^${PREFIX}\///}
+.if defined(WITH_BASE_KERBEROS5)
+KRB5_HOME=	/usr
+.else
+LIB_DEPENDS+=	krb5.3:${PORTSDIR}/security/krb5
+KRB5_HOME=	${LOCALBASE}
+.endif
 


-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\
Comment 3 Brian Feldman freebsd_committer 2005-10-06 18:26:19 UTC
Responsible Changed
From-To: freebsd-ports-bugs->apache

Assign to the maintainer (apache@).
Comment 4 Brian Feldman freebsd_committer 2005-10-17 18:57:29 UTC
State Changed
From-To: open->closed

Committed by myself.