738968 – www-apache/mod_auth_kerb-5.4-r2 references krb5_rc_resolve_full, but it is removed from libkrb5.so

Bug 738968 - www-apache/mod_auth_kerb-5.4-r2 references krb5_rc_resolve_full, but it is removed from libkrb5.so

Summary: www-apache/mod_auth_kerb-5.4-r2 references krb5_rc_resolve_full, but it is re...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	No maintainer - Look at https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers if you want to take care of it

URL:
Whiteboard:
Keywords:

Depends on:	830208
Blocks:
	Show dependency tree

Reported:	2020-08-25 15:52 UTC by Barnabás Virágh
Modified:	2021-12-29 08:41 UTC (History)
CC List:	3 users (show)

See Also:	716736
Package list:
Runtime testing required:	---

Attachments
mit-krb5-1.18.2 fix (mit-krb5-1.18.2.patch,613 bytes, patch) 2020-09-15 17:16 UTC, Joakim Tjernlund	Details \| Diff
Fixes SEGV (mod_auth_kerb-krb5_kt_close.patch,702 bytes, patch) 2020-09-15 17:19 UTC, Joakim Tjernlund	Details \| Diff
mod_auth_kerb-5.4-r4 ebuild , EAPI=6 (mod_auth_kerb-5.4-r4.ebuild,1.44 KB, text/plain) 2020-09-15 17:28 UTC, Joakim Tjernlund	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Barnabás Virágh 2020-08-25 15:52:25 UTC

app-crypt/mit-krb5-1.18.2-r1 doesn't contain anymore krb5_rc_resolve_full, thus apache with mod_auth_kerb enabled fails to start:
apache2            | * apache2 has detected an error in your setup:
apache2            |apache2: Syntax error on line 166 of /etc/apache2/httpd.conf: Syntax error on line 2 of /etc/apache2/modules.d/11_mod_auth_kerb.conf: Cannot load modules/mod_auth_kerb.so into server: /usr/lib64/apache2/modules/mod_auth_kerb.so: undefned symbol: krb5_rc_resolve_full
apache2            | * ERROR: apache2 failed to start

Reproducible: Always

Steps to Reproduce:
1. Build apache
2. Build mod_auth_kerb
3. Configure apache to use mod_auth_kerb
4. Start apache
Actual Results:  
mod_auth_kerb.so references krb5_rc_resolve_full, even though it is removed from libkrb5.so. Thus apache fails to start.

Expected Results:  
mod_auth_kerb.so doesn't use nonexistent API krb5_rc_resolve_full, Apache can load the mod_auth_kerb module, and can successfully start, and authenticates users through kerberos SSO.

Comment 1 Barnabás Virágh 2020-08-25 15:54:15 UTC

It is somewhat related to this bug: https://bugs.gentoo.org/716736 (the method is removed in the same commit)

Comment 2 Barnabás Virágh 2020-08-30 13:19:04 UTC

since this packages is on EAPI=5, and "epatch_user" is missing, was a bit harder to test patchs, but I found a working one here:
https://sourceforge.net/p/modauthkerb/bugs/61/

https://sourceforge.net/p/modauthkerb/bugs/_discuss/thread/face832cc0/807c/attachment/krb5-1.18.patch

Applying this, the Kerberos authentication works again.

Comment 3 David Heidelberg (okias) 2020-08-31 15:14:45 UTC

Confirmed... anyway, any official solution, PullRequest or something available?

Comment 4 Joakim Tjernlund 2020-09-15 17:16:56 UTC

Created attachment 660420 [details, diff]
mit-krb5-1.18.2 fix

Works for me.
RCACHE is mandatory these days so hardcode

Comment 5 Joakim Tjernlund 2020-09-15 17:18:14 UTC

(In reply to Barnabás Virágh from comment #2)
> since this packages is on EAPI=5, and "epatch_user" is missing, was a bit
> harder to test patchs, but I found a working one here:
> https://sourceforge.net/p/modauthkerb/bugs/61/
> 
> https://sourceforge.net/p/modauthkerb/bugs/_discuss/thread/face832cc0/807c/
> attachment/krb5-1.18.patch
> 
> Applying this, the Kerberos authentication works again.

That was my first hack, attached a better one.
Works with 1.17 too

Comment 6 Joakim Tjernlund 2020-09-15 17:19:51 UTC

Created attachment 660423 [details, diff]
Fixes SEGV

You should apply this one too

Comment 7 Joakim Tjernlund 2020-09-15 17:28:16 UTC

Created attachment 660426 [details]
mod_auth_kerb-5.4-r4 ebuild , EAPI=6

Our internal ebuild

Got one for mod_auth_gssapi too, not tested though

Comment 8 Sam James archtester

2021-12-29 08:41:44 UTC

Fix here: https://bugs.gentoo.org/830208#c7. Stabilisation in progress.