0.7rc2 with mod_auth_kerb 5 rc6

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

0.7rc2 with mod_auth_kerb 5 rc6

Henry B. Hotz
The spnego code in mod_auth_kerb seems to conflict with the related  
code in the new Heimdal.  As Love suggested, it turns out to be trivial  
to work around:  just eliminate the spnego code that came with  
mod_auth_kerb.  ;-)

First, forget all the configure machinery.  It just gets in the way  
here (IMNSHO).

Second, copy config.h.in to config.h and edit appropriately.  (It's  
obvious, I think.)

Third, apply the patch at the end of this email.

Forth, run apxs directly on the src/mod_auth_kerb.c file.  I used the  
something similar to the following on Solaris 9:

/apache/path/bin/apxs -c -I. -I/usr/kth/include -DHAVE_KRB5_CC_GEN_NEW  
-DHEIMDAL -Wc,-g -Wl,-R/usr/kth/lib:/apache/path/lib  
-L/usr/kth/lib:/apache/path/lib -lgssapi -lkrb5 -lasn1 -lcom_err  
-lcrypto -lroken -lresolv -lnsl -lsocket -lresolv src/mod_auth_kerb.c

I don't see any reason why you can't do -c -i -a instead of just -c  
above.  In theory you should do `/usr/kth/bin/krb5-config --libs` in  
place of all those options after the -c (except it doesn't include  
-lgssapi).

It appears to work fine.

------------------
--- mod_auth_kerb.c.orig Wed Jun  1 13:33:49 2005
+++ mod_auth_kerb.c Wed Jun  1 13:41:33 2005
@@ -73,7 +73,6 @@
  #  define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name
  #  define krb5_get_err_text(context,code) error_message(code)
  #endif
-#include "spnegokrb5.h"
  #endif /* KRB5 */

  #ifdef KRB4
@@ -1098,15 +1097,11 @@
    gss_name_t client_name = GSS_C_NO_NAME;
    gss_cred_id_t delegated_cred = GSS_C_NO_CREDENTIAL;
    OM_uint32 (*accept_sec_token)();
-  gss_OID_desc spnego_oid;
    gss_ctx_id_t context = GSS_C_NO_CONTEXT;
    gss_cred_id_t server_creds = GSS_C_NO_CREDENTIAL;

    *negotiate_ret_value = "\0";

-  spnego_oid.length = 6;
-  spnego_oid.elements = (void *)"\x2b\x06\x01\x05\x05\x02";
-
    if (conf->krb_5_keytab) {
       char *ktname;
       /* we don't use the ap_* calls here, since the string passed to  
putenv()
@@ -1145,14 +1140,10 @@
    }
    input_token.length = ap_base64decode(input_token.value, auth_param);

-  accept_sec_token = (cmp_gss_type(&input_token, &spnego_oid) == 0) ?
-     gss_accept_sec_context_spnego : gss_accept_sec_context;
+  accept_sec_token = gss_accept_sec_context;

    /* pridat: Read client Negotiate data of length XXX, prefix YYY */
-  log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data  
using %s",
-     (accept_sec_token == gss_accept_sec_context)
-       ? "KRB5 GSS-API"
-       : "SPNEGO GSS-API");
+  log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Verifying client data  
using GSS-API");

    major_status = accept_sec_token(&minor_status,
   &context,
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 0.7rc2 with mod_auth_kerb 5 rc6

Daniel Kouril
On Thu, Jun 02, 2005 at 01:56:17PM -0700, Henry B. Hotz wrote:
> The spnego code in mod_auth_kerb seems to conflict with the related  
> code in the new Heimdal.  As Love suggested, it turns out to be trivial  
> to work around:  just eliminate the spnego code that came with  
> mod_auth_kerb.  ;-)

Could you send me snip of the error messages you're getting? I use the module
with Heimdal without any problems. If I phased out the built-in SPNEGO
support it would efectively make the module the module unusable with older
releases of Heimdal, not speaking of MIT.

> I don't see any reason why you can't do -c -i -a instead of just -c  
> above.  In theory you should do `/usr/kth/bin/krb5-config --libs` in  
> place of all those options after the -c (except it doesn't include  
> -lgssapi).

krb5-config --libs gssapi ?
Reply | Threaded
Open this post in threaded view
|

Re: 0.7rc2 with mod_auth_kerb 5 rc6

Henry B. Hotz

On Jun 7, 2005, at 10:01 AM, Daniel Kouril wrote:

> On Thu, Jun 02, 2005 at 01:56:17PM -0700, Henry B. Hotz wrote:
>> The spnego code in mod_auth_kerb seems to conflict with the related
>> code in the new Heimdal.  As Love suggested, it turns out to be  
>> trivial
>> to work around:  just eliminate the spnego code that came with
>> mod_auth_kerb.  ;-)
>
> Could you send me snip of the error messages you're getting? I use the  
> module
> with Heimdal without any problems. If I phased out the built-in SPNEGO
> support it would efectively make the module the module unusable with  
> older
> releases of Heimdal, not speaking of MIT.

I've been meaning to check, but I think both MIT 1.4.1 and Solaris 10  
have spnego in their gssapi libraries now.  If it really is that common  
in new implementations, then going forward I think you should disable  
your spnego code in favor of what's in the available gssapi library.  
Do a configure check.

I'm out of town this week, so it's hard.  I'll try to get to recreate  
the problem next week.

>> I don't see any reason why you can't do -c -i -a instead of just -c
>> above.  In theory you should do `/usr/kth/bin/krb5-config --libs` in
>> place of all those options after the -c (except it doesn't include
>> -lgssapi).
>
> krb5-config --libs gssapi ?

Yes.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: 0.7rc2 with mod_auth_kerb 5 rc6

Henry B. Hotz
./configure --without-krb4  --with-krb5=/usr/kth --with-apache=/usr/kth

Edit makefile to change "-pthread" to "-Wl,-pthreads" and add  
corresponding CFLAGS entry.

Make log at end.

On Jun 8, 2005, at 11:56 PM, Henry B. Hotz wrote:

> On Jun 7, 2005, at 10:01 AM, Daniel Kouril wrote:
>
>> Could you send me snip of the error messages you're getting? I use  
>> the module
>> with Heimdal without any problems. If I phased out the built-in SPNEGO
>> support it would efectively make the module the module unusable with  
>> older
>> releases of Heimdal, not speaking of MIT.
>
> I've been meaning to check, but I think both MIT 1.4.1 and Solaris 10  
> have spnego in their gssapi libraries now.  If it really is that  
> common in new implementations, then going forward I think you should  
> disable your spnego code in favor of what's in the available gssapi  
> library.  Do a configure check.
>
> I'm out of town this week, so it's hard.  I'll try to get to recreate  
> the problem next week.

OK, here it is.  Notice that the der.h file is the one from  
/usr/kth/include/, not the one in  
.../mod_auth_kerb-5.0-rc6/spnegokrb5/.

> /usr/kth/bin/apxs -c -I. -Ispnegokrb5 -I/usr/kth/include  
> -I/usr/kth/include -Wc,-pthreads    -L/usr/kth/lib -lgssapi -lkrb5  
> -lasn1 -lcom_err -L/usr/kth/lib -lcrypto -lroken -lresolv -lnsl  
> -lsocket -Wl,-pthreads  -lresolv src/mod_auth_kerb.c  
> spnegokrb5/asn1_MechType.c                  
> spnegokrb5/asn1_MechTypeList.c              
> spnegokrb5/asn1_ContextFlags.c              
> spnegokrb5/asn1_NegTokenInit.c              
> spnegokrb5/asn1_NegTokenTarg.c             spnegokrb5/der_get.c        
>                spnegokrb5/der_put.c                        
> spnegokrb5/der_free.c                      spnegokrb5/der_length.c      
>                spnegokrb5/der_copy.c                      
> spnegokrb5/timegm.c                        
> spnegokrb5/init_sec_context.c              
> spnegokrb5/accept_sec_context.c            spnegokrb5/encapsulate.c    
>                spnegokrb5/decapsulate.c                    
> spnegokrb5/external.c
> /usr/kth/build/libtool --silent --mode=compile gcc -prefer-pic -g  
> -DAP_HAVE_DESIGNATED_INITIALIZER -DSOLARIS2=9  
> -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -pthreads -I/usr/kth/include  
> -I/usr/kth/include   -I/usr/kth/include  -pthreads -I. -Ispnegokrb5  
> -I/usr/kth/include -I/usr/kth/include  -c -o src/mod_auth_kerb.lo  
> src/mod_auth_kerb.c && touch src/mod_auth_kerb.slo
> src/mod_auth_kerb.c:155: warning: initialization from incompatible  
> pointer type
> src/mod_auth_kerb.c:158: warning: initialization from incompatible  
> pointer type
> /usr/kth/build/libtool --silent --mode=compile gcc -prefer-pic -g  
> -DAP_HAVE_DESIGNATED_INITIALIZER -DSOLARIS2=9  
> -D_POSIX_PTHREAD_SEMANTICS -D_REENTRANT -pthreads -I/usr/kth/include  
> -I/usr/kth/include   -I/usr/kth/include  -pthreads -I. -Ispnegokrb5  
> -I/usr/kth/include -I/usr/kth/include  -c -o  
> spnegokrb5/asn1_MechType.lo spnegokrb5/asn1_MechType.c && touch  
> spnegokrb5/asn1_MechType.slo
> In file included from spnegokrb5/asn1_MechType.c:11:
> /usr/kth/include/der.h:77: error: parse error before  
> "heim_octet_string"
> /usr/kth/include/der.h:85: error: parse error before  
> "heim_general_string"
> /usr/kth/include/der.h:87: error: parse error before  
> "heim_octet_string"
> /usr/kth/include/der.h:89: error: parse error before "heim_oid"
> /usr/kth/include/der.h:106: error: parse error before  
> "heim_general_string"
> /usr/kth/include/der.h:108: error: parse error before "heim_oid"
> /usr/kth/include/der.h:110: error: parse error before  
> "heim_octet_string"
> /usr/kth/include/der.h:114: error: parse error before  
> "heim_utf8_string"
> /usr/kth/include/der.h:120: error: parse error before '*' token
> /usr/kth/include/der.h:122: error: parse error before '*' token
> /usr/kth/include/der.h:124: error: parse error before '*' token
> /usr/kth/include/der.h:139: error: parse error before '*' token
> /usr/kth/include/der.h:141: error: parse error before '*' token
> /usr/kth/include/der.h:143: error: parse error before '*' token
> /usr/kth/include/der.h:148: error: parse error before '*' token
> /usr/kth/include/der.h:151: error: parse error before '*' token
> /usr/kth/include/der.h:152: error: parse error before '*' token
> /usr/kth/include/der.h:153: error: parse error before '*' token
> /usr/kth/include/der.h:155: error: parse error before '*' token
> /usr/kth/include/der.h:162: error: parse error before '*' token
> /usr/kth/include/der.h:163: error: parse error before '*' token
> /usr/kth/include/der.h:164: error: parse error before '*' token
> /usr/kth/include/der.h:167: error: parse error before '*' token
> /usr/kth/include/der.h:169: error: parse error before '*' token
> /usr/kth/include/der.h:170: error: parse error before '*' token
> /usr/kth/include/der.h:171: error: parse error before '*' token
> /usr/kth/include/der.h:173: error: parse error before '*' token
> /usr/kth/include/der.h:175: error: parse error before '*' token
> /usr/kth/include/der.h:176: error: parse error before '*' token
> apxs:Error: Command failed with rc=65536
> .
> make: *** [src/mod_auth_kerb.so] Error 1

------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]