On 02/10/2012 02:08, George Mamalakis wrote: > On 04/07/11 14:08, George Mamalakis wrote: >> On 06/04/2011 18:29, George Mamalakis wrote: >>> Dear all, >>> >>> I installed mod_auth_kerb2 on my FreeBSD 8-STABLE machine and tried >>> to use it. After the installation (which was successful(?!?)), the >>> server refused to start giving the error: >>> >>> # /usr/local/etc/rc.d/apache22 start >>> Performing sanity check on apache22 configuration: >>> httpd: Syntax error on line 103 of >>> /usr/local/etc/apache22/httpd.conf: Cannot load >>> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>> "gsskrb5_register_acceptor_identity" >>> Starting apache22. >>> httpd: Syntax error on line 103 of >>> /usr/local/etc/apache22/httpd.conf: Cannot load >>> /usr/local/libexec/apache22/mod_auth_kerb.so into server: >>> /usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol >>> "gsskrb5_register_acceptor_identity" >>> /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22 >>> >>> but ldd showed: >>> >>> # ldd /usr/local/libexec/apache22/mod_auth_kerb.so >>> /usr/local/libexec/apache22/mod_auth_kerb.so: >>> libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800c00000) >>> libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x800d0a000) >>> libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800e0f000) >>> libhx509.so.10 => /usr/lib/libhx509.so.10 (0x800f7e000) >>> libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010be000) >>> libcrypto.so.6 => /lib/libcrypto.so.6 (0x8011c0000) >>> libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801461000) >>> libroken.so.10 => /usr/lib/libroken.so.10 (0x8015e3000) >>> libcrypt.so.5 => /lib/libcrypt.so.5 (0x8016f5000) >>> libc.so.7 => /lib/libc.so.7 (0x800647000) >>> >>> which showed that everything should have been fine. I googled it a >>> bit and found this thread regarding my error message: >>> http://forum.nginx.org/read.php?23,88476 , which started on May 2010, >>> and pointed to this PR: >>> http://www.freebsd.org/cgi/query-pr.cgi?pr=147454 , which started on >>> June 2010. What is stated, is that heimdal-1.1 was broken in FreeBSD, >>> and that it should be fixed at some moment in the future. (I tested >>> mod_auth_kerb2 on another machine running heimdal from ports (1.4_1) >>> and I had exactly the same problem). >>> >>> I searched to find where this notorious function >>> (gsskrb5_register_acceptor_identity) was located, and I found its >>> declaration in: /usr/include/gssapi/gssapi_krb5.h, and its definition >>> in: /usr/lib/libgssapi_krb5.so. >>> >>> So, I added -lgssapi_krb5 in KRB5_LDFLAGS variable of >>> /usr/ports/www/mod_auth_kerb2/work/mod_auth_kerb-5.4/Makefile , since >>> this where the location of gsskrb5_register_acceptor_identity >>> originally seemed to be, and reinstalled the port using gmake this >>> time (inside the port's work directory). After that, the module works >>> just fine. The initial content of this line was: >>> >>> KRB5_LDFLAGS = -L/usr/lib -lgssapi -lheimntlm -lkrb5 -lhx509 >>> -lcom_err -lcrypto -lasn1 -lroken -lcrypt >>> >>> I've sent an analogous email to the port maintainer, but I am not >>> sure if it is their "fault". Hence, I decided to send this email to >>> the stable list for two reasons: First, someone else may be having a >>> similar problem and wants to find a rough solution. Secondly, there >>> are people reading this list that know heimdal's code, so somebody >>> may know another (much more elegant) way to fix this bug. >>> >>> Thank you all for your time in advance, >>> >>> Regards, >>> >>> mamalos. >>> >> >> OK, >> >> I spoke with the maintainer who confirmed the problem. He also >> suggested to change line 96 of /usb/bin/krb5-config to include >> gssapi_krb5 among its libraries. He also gave me the relevant patch, >> and asked me to send a PR to FreeBSD. The patch is as follows: >> >> --- /usr/bin/krb5-config.orig 2011-02-17 03:18:57.000000000 +0100 >> +++ /usr/bin/krb5-config 2011-04-06 23:41:31.000000000 +0200 >> @@ -93,7 +93,7 @@ >> lib_flags="-L${libdir}" >> case $library in >> gssapi) >> - lib_flags="$lib_flags -lgssapi -lheimntlm" >> + lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" >> ;; >> kadm-client) >> lib_flags="$lib_flags -lkadm5clnt" >> >> >> >> And the relevant PR is: >> >> http://www.freebsd.org/cgi/query-pr.cgi?pr=156245 >> >> Thank you all for your time, >> >> mamalos >> > Hi all, > > I am bringing this matter back again because the same things hold for my > current system too (/usr/bin/krb5-config does not seem to link > gssapi-things properly): > > # uname -a > FreeBSD example.com 9.0-STABLE FreeBSD 9.0-STABLE #0: Mon Jun 18 > 21:04:14 EEST 2012 r...@example.com:/usr/obj/usr/src/sys/FILESRV amd64 > # pkg_info -Ix apache kerb > ap22-mod_auth_kerb-5.4_3 An Apache module for authenticating users with > Kerberos v5 > apache22-2.2.22_8 Version 2.2.x of Apache web server with prefork MPM. > > Should I send a PR or is there something that I've done wrong?
I've seen the same thing on 8.3-RELEASE, 9.1-RC1 and 9.1-RC2. In all cases, applying your patch (thank you!) to /usr/bin/krb5-config resolved the issue. I did not need to patch krb5-config for other GSSAPI servers to work (dovecot and sendmail) but they are obviously satisified with -lgssapi and don't need routines supplied via -lgssapi_krb5. Thus far, www/mod_auth_kerb2 is the only port I've used which appears to need gssapi_krb5. I think this is purely a FreeBSD Heimdal config issue. -- John Marshall
signature.asc
Description: OpenPGP digital signature
