Re: SASL problems with spnego on 8.0-BETA4

From: John Marshall <john.marshall_at_riverwillow.com.au> Date: Mon, 21 Sep 2009 11:28:55 +1000 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:55 UTC

On Sat, 19 Sep 2009, 09:31 +1000, John Marshall wrote:
> On Fri, 18 Sep 2009, 17:38 -0400, Rick Macklem wrote:
> > When cyrus-sasl2 builds, it uses the little shell script
> > /usr/bin/krb5-config with the args. "--libs gssapi" to get the list of
> > libraries to link against. This doesn't return "-lgssapi_spnego" in the
> > list. (The list can be changed by editting line #96 of 
> > /usr/bin/krb5-config.)
> 
> I think this sounds promising!  It makes sense.  Thanks for pointing us
> in this direction.

This morning, on my 8.0-RC1 system, I did the following to confirm that
GSSAPI authentication to the LDAP server via SASL2 using the base
Heimdal was still broken:

 - removed the heimdal-1.2.1 port
 - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
 - started the openldap-sasl-server-2.4.18_1
 - queried the LDAP server from a separate client using ldapsearch:
     --------
     SASL/GSSAPI authentication started
     ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
     --------
 - and noted that the ldap server died at that point.

I edited line 96 of /usr/bin/krb5-config to include -lgssapi_krb5 in the
libraries list:

        lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"

and then did the following:

 - rebuilt the cyrus-sasl-2.1.23 port (against the base heimdal)
 - started the openldap-sasl-server-2.4.18_1
 - queried the LDAP server from a separate client using ldapsearch
     --------
     SASL/GSSAPI authentication started
     SASL username: john_at_EXAMPLE.COM
     SASL SSF: 56
     SASL data security layer installed.
     # extended LDIF
     #
     # LDAPv3
     --------

SUCCESS!

So, this fix obviates THAT reason for installing the Heimdal port.  If
George meets with similar success adding -lgssapi_spnego for his spnego
problem, I suggest that both libraries be added to the list in line 96
of /usr/bin/krb5-config prior to release of FreeBSD 8.0.

It doesn't look like this fix is as simple as submitting a patch to
krb5-config.  It looks like magic needs to happen somewhere in the base
kerberos build system.

I notice that the Heimdal port doesn't build the separate libraries and
everything seems to be included in libgssapi (which explains why sasl2
"works" when linked against the Heimdal port).

-- 
John Marshall