From nobody@FreeBSD.org Thu Apr 7 10:32:15 2011 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EB6D106564A for ; Thu, 7 Apr 2011 10:32:15 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 4322E8FC0A for ; Thu, 7 Apr 2011 10:32:15 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p37AWEMo001589 for ; Thu, 7 Apr 2011 10:32:14 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p37AWEMO001584; Thu, 7 Apr 2011 10:32:14 GMT (envelope-from nobody) Message-Id: <201104071032.p37AWEMO001584@red.freebsd.org> Date: Thu, 7 Apr 2011 10:32:14 GMT From: George Mamalakis To: freebsd-gnats-submit@FreeBSD.org Subject: [patch] heimdal 1.1 broken in 8-stable and 8-release as far as gssapi_krb5 is concerned X-Send-Pr-Version: www-3.1 X-GNATS-Notify: >Number: 156245 >Category: kern >Synopsis: [heimdal] [patch] heimdal 1.1 broken in 8-stable and 8-release as far as gssapi_krb5 is concerned >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Apr 07 10:40:10 UTC 2011 >Closed-Date: >Last-Modified: Sat Apr 09 20:10:47 UTC 2011 >Originator: George Mamalakis >Release: 8-2-STABLE and 8-0-STABLE >Organization: Aristotle Univ. of Thessaloniki, Greece >Environment: FreeBSD mymachine 8.2-STABLE FreeBSD 8.2-STABLE #0: Sat Mar 12 09:13:01 EET 2011 root@mymachine:/usr/obj/usr/src/sys/CUSTOM amd64 >Description: I installed mod_auth_kerb2 on my FreeBSD 8.2-STABLE machine and tried to use it. After the installation (which was successful(?!?)), the server refused to start and reported the following error: # /usr/local/etc/rc.d/apache22 start Performing sanity check on apache22 configuration: httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity" Starting apache22. httpd: Syntax error on line 103 of /usr/local/etc/apache22/httpd.conf: Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server: /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol "gsskrb5_register_acceptor_identity" /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 while ldd showed: # ldd /usr/local/libexec/apache22/mod_auth_kerb.so /usr/local/libexec/apache22/mod_auth_kerb.so: libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) libc.so.7 => /lib/libc.so.7 (0x800647000) which showed that everything should have been fine. I googled it a bit and found this thread regarding my error message: http://forum.nginx.org/read.php?23,88476 , which started on May 2010, and pointed to this PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, and that it should be fixed at some moment in the future. (I tested mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) and I had exactly the same problem). I searched to find where this notorious function (gsskrb5_register_acceptor_identity) was located, and I found its declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition in: /usr/lib/libgssapi_krb5.so. So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since this where the location of gsskrb5_register_acceptor_identity originally seemed to be, and reinstalled the port using gmake this time (inside the port's work directory). After that, the module works just fine. The initial content of this line was: KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt I've contacted the maintainers of the port, and confirmed the bug. They stated that the problem is related to /usr/bin/krb5-config, which fails to advertise gssapi_krb5 among its libraries. They also suggested me to send this PR along with the following patch. If that line changes in /usr/bin/krb5-config, and the port is recompiled, then everything works as should. >How-To-Repeat: Install www/apache22 and subsequently www/mod_auth_krb5. Then try to start apache, and it will fail. >Fix: Change line 96 of /usr/bin/krb5-config to read: lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" or change the work-dir's Makefile of www/mod_auth_krb5 port to include gssapi_krb5 (line 3), so the changed line should read: KRB5_LDFLAGS = -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lroken -lcrypt Patch attached with submission follows: --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 @@ -93,7 +93,7 @@ lib_flags="-L${libdir}" case $library in gssapi) - lib_flags="$lib_flags -lgssapi -lheimntlm" + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" ;; kadm-client) lib_flags="$lib_flags -lkadm5clnt" >Release-Note: >Audit-Trail: >Unformatted: