From owner-freebsd-current@FreeBSD.ORG Mon Sep 21 01:29:09 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9468B1065676; Mon, 21 Sep 2009 01:29:09 +0000 (UTC) (envelope-from john.marshall@riverwillow.com.au) Received: from mail1.riverwillow.net.au (mail1.riverwillow.net.au [203.58.93.36]) by mx1.freebsd.org (Postfix) with ESMTP id 1305A8FC17; Mon, 21 Sep 2009 01:29:08 +0000 (UTC) Received: from rwpc12.mby.riverwillow.net.au (rwpc12.mby.riverwillow.net.au [172.25.24.168]) (authenticated bits=0) by mail1.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n8L1SwXb018381 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 21 Sep 2009 11:28:59 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=riverwillow.com.au; s=m1001; t=1253496539; bh=Fyd6aRKMfE4YZyX/P8cceAMde/XPvWBIr+KfcDCGjt0=; h=Date:From:To:Cc:Subject:Message-ID:References:Mime-Version: Content-Type:In-Reply-To; b=ZusNbNXGjL7U7JQ87Wr49aT2nObbiKZeiANME+Jz0OEI5ZTFNa6uJBnfxdQMJ++3R LKxGPXo6fM7PnJ7vxde/Q4utoYcHcHSuZzBRl3pJNTw9TJnqSEX9oK+KGK+MhhH7YF 4La7tPfrmU66viasMSsPkDU8EfeDGmrYwglBbRw4= Received: from rwpc12.mby.riverwillow.net.au (localhost [127.0.0.1]) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3) with ESMTP id n8L1SwAt001953; Mon, 21 Sep 2009 11:28:58 +1000 (AEST) (envelope-from john.marshall@riverwillow.com.au) Received: (from john@localhost) by rwpc12.mby.riverwillow.net.au (8.14.3/8.14.3/Submit) id n8L1Stxs001952; Mon, 21 Sep 2009 11:28:55 +1000 (AEST) (envelope-from john) Date: Mon, 21 Sep 2009 11:28:55 +1000 From: John Marshall To: Rick Macklem Message-ID: <20090921012855.GA1001@rwpc12.mby.riverwillow.net.au> Mail-Followup-To: Rick Macklem , George Mamalakis , freebsd-current@freebsd.org, freebsd-stable References: <4AB27FB6.4010806@eng.auth.gr> <20090918034933.GI1231@rwpc12.mby.riverwillow.net.au> <20090918233157.GK1231@rwpc12.mby.riverwillow.net.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Q68bSM7Ycu6FN28Q" Content-Disposition: inline In-Reply-To: <20090918233157.GK1231@rwpc12.mby.riverwillow.net.au> User-Agent: Mutt/1.4.2.3i OpenPGP: id=A29A84A2; url=http://pki.riverwillow.net.au/pgp/johnmarshall.asc Cc: freebsd-stable , freebsd-current@freebsd.org, George Mamalakis Subject: Re: SASL problems with spnego on 8.0-BETA4 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Sep 2009 01:29:09 -0000 --Q68bSM7Ycu6FN28Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, 19 Sep 2009, 09:31 +1000, John Marshall wrote: > On Fri, 18 Sep 2009, 17:38 -0400, Rick Macklem wrote: > > When cyrus-sasl2 builds, it uses the little shell script > > /usr/bin/krb5-config with the args. "--libs gssapi" to get the list of > > libraries to link against. This doesn't return "-lgssapi_spnego" in the > > list. (The list can be changed by editting line #96 of=20 > > /usr/bin/krb5-config.) >=20 > I think this sounds promising! It makes sense. Thanks for pointing us > in this direction. This morning, on my 8.0-RC1 system, I did the following to confirm that GSSAPI authentication to the LDAP server via SASL2 using the base Heimdal was still broken: - removed the heimdal-1.2.1 port - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal) - started the openldap-sasl-server-2.4.18_1 - queried the LDAP server from a separate client using ldapsearch: -------- SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) -------- - and noted that the ldap server died at that point. I edited line 96 of /usr/bin/krb5-config to include -lgssapi_krb5 in the libraries list: lib_flags=3D"$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm" and then did the following: - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal) - started the openldap-sasl-server-2.4.18_1 - queried the LDAP server from a separate client using ldapsearch -------- SASL/GSSAPI authentication started SASL username: john@EXAMPLE.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 -------- SUCCESS! So, this fix obviates THAT reason for installing the Heimdal port. If George meets with similar success adding -lgssapi_spnego for his spnego problem, I suggest that both libraries be added to the list in line 96 of /usr/bin/krb5-config prior to release of FreeBSD 8.0. It doesn't look like this fix is as simple as submitting a patch to krb5-config. It looks like magic needs to happen somewhere in the base kerberos build system. I notice that the Heimdal port doesn't build the separate libraries and everything seems to be included in libgssapi (which explains why sasl2 "works" when linked against the Heimdal port). --=20 John Marshall --Q68bSM7Ycu6FN28Q Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkq21tcACgkQw/tAaKKahKJxLgCeLlh73ABMo8lKSAnwqxX/Ywsr kcQAoLtctYCMcA5GUSpd9pEb9zBi8/cL =9F41 -----END PGP SIGNATURE----- --Q68bSM7Ycu6FN28Q--