Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 21 Sep 2009 11:28:55 +1000
From:      John Marshall <john.marshall@riverwillow.com.au>
To:        Rick Macklem <rmacklem@uoguelph.ca>
Cc:        freebsd-stable <freebsd-stable@freebsd.org>, freebsd-current@freebsd.org, George Mamalakis <mamalos@eng.auth.gr>
Subject:   Re: SASL problems with spnego on 8.0-BETA4
Message-ID:  <20090921012855.GA1001@rwpc12.mby.riverwillow.net.au>
In-Reply-To: <20090918233157.GK1231@rwpc12.mby.riverwillow.net.au>
References:  <4AB27FB6.4010806@eng.auth.gr> <20090918034933.GI1231@rwpc12.mby.riverwillow.net.au> <Pine.GSO.4.63.0909181722270.23193@muncher.cs.uoguelph.ca> <20090918233157.GK1231@rwpc12.mby.riverwillow.net.au>

next in thread | previous in thread | raw e-mail | index | archive | help

--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, 19 Sep 2009, 09:31 +1000, John Marshall wrote:
> On Fri, 18 Sep 2009, 17:38 -0400, Rick Macklem wrote:
> > When cyrus-sasl2 builds, it uses the little shell script
> > /usr/bin/krb5-config with the args. "--libs gssapi" to get the list of
> > libraries to link against. This doesn't return "-lgssapi_spnego" in the
> > list. (The list can be changed by editting line #96 of=20
> > /usr/bin/krb5-config.)
>=20
> I think this sounds promising!  It makes sense.  Thanks for pointing us
> in this direction.

This morning, on my 8.0-RC1 system, I did the following to confirm that
GSSAPI authentication to the LDAP server via SASL2 using the base
Heimdal was still broken:

 - removed the heimdal-1.2.1 port
 - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
 - started the openldap-sasl-server-2.4.18_1
 - queried the LDAP server from a separate client using ldapsearch:
     --------
     SASL/GSSAPI authentication started
     ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
     --------
 - and noted that the ldap server died at that point.

I edited line 96 of /usr/bin/krb5-config to include -lgssapi_krb5 in the
libraries list:

        lib_flags=3D"$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"

and then did the following:

 - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
 - started the openldap-sasl-server-2.4.18_1
 - queried the LDAP server from a separate client using ldapsearch
     --------
     SASL/GSSAPI authentication started
     SASL username: john@EXAMPLE.COM
     SASL SSF: 56
     SASL data security layer installed.
     # extended LDIF
     #
     # LDAPv3
     --------

SUCCESS!

So, this fix obviates THAT reason for installing the Heimdal port.  If
George meets with similar success adding -lgssapi_spnego for his spnego
problem, I suggest that both libraries be added to the list in line 96
of /usr/bin/krb5-config prior to release of FreeBSD 8.0.

It doesn't look like this fix is as simple as submitting a patch to
krb5-config.  It looks like magic needs to happen somewhere in the base
kerberos build system.

I notice that the Heimdal port doesn't build the separate libraries and
everything seems to be included in libgssapi (which explains why sasl2
"works" when linked against the Heimdal port).

--=20
John Marshall

--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEARECAAYFAkq21tcACgkQw/tAaKKahKJxLgCeLlh73ABMo8lKSAnwqxX/Ywsr
kcQAoLtctYCMcA5GUSpd9pEb9zBi8/cL
=9F41
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090921012855.GA1001>