netbsd-help: Re: mod_auth

Subject: Re: mod_auth_kerb
To: None <netbsd-help@netbsd.org>
From: Jukka Salmi <j+nbsd@2005.salmi.ch>
List: netbsd-help
Date: 06/28/2005 12:50:59
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Thierry Lacoste --> netbsd-help (2005-06-28 11:45:19 +0200):
> $ httpd -v
> Server version: Apache/1.3.33 (Unix)
> Server built:   Jun 20 2005 22:26:06
[...]
> I downloaded mod_auth_kerb-5.0-rc6.tar.gz from 
> http://sourceforge.net/project/showfiles.php?group_id=51775

Same here.


> $ tar -xvzf mod_auth_kerb-5.0-rc6.tar.gz
> $ cd mod_auth_kerb-5.0-rc6
> $ ./configure
[...]
> checking for krb5_init_context in -lkrb5... yes
> checking whether we are using Heimdal... no
[...]
> Well the line 'checking whether we are using Heimdal... no'
> doesn't sound good.

Indeed.


> I tried to set --with-krb5 but I didn't find any satisfying value.

Reading the notes I wrote down when installing mod_auth_krb5, I see now that
I created a krb5-config script and put it to /usr/bin (some software expect
it to be there...). Unfortunately NetBSD doesn't ship with such a file by
default, but you can easily build it from src/crypto/dist/heimdal/tools. The
script I'm using is attached.

Additionally, because I store the webserver's principal in a separate keytab
file, I needed to apply a patch to mod_auth_kerb's src/mod_auth_kerb.c to
make httpd read the keytab defined by `Krb5Keytab' and not the system keytab.
This patch (and another patch to fix 'make clean') is attached as well.

After patching mod_auth_kerb-5.0-rc6 with the attached patches, running

	$ ./configure --prefix=/usr/local --without-krb4 \
		--with-krb5=/usr --with-apache=/usr/pkg
	$ make
	$ sudo make install

should work fine.


HTH, Jukka

-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=krb5-config

#!/bin/sh
# $Heimdal: krb5-config.in,v 1.9 2002/09/09 22:29:06 joda Exp $
# $NetBSD: krb5-config.in,v 1.2 2002/09/12 13:19:24 joda Exp $

do_libs=no
do_cflags=no
do_usage=no
print_prefix=no
print_exec_prefix=no
library=krb5

if test $# -eq 0; then
  do_usage=yes
  usage_exit=1
fi

for i in $*; do
  case $i in
  --help)
    do_usage=yes
    usage_exit=0
    ;;
  --version)
    echo "heimdal 0.6.1"
    echo '$Id: krb5-config.in,v 1.2 2002/09/12 13:19:24 joda Exp $'
    exit 0
    ;;
  --prefix=*)
    prefix=`echo $i | sed 's/^--prefix=//'`
    ;;
  --prefix)
    print_prefix=yes
    ;;
  --exec-prefix=*)
    exec_prefix=`echo $i | sed 's/^--exec-prefix=//'`
    ;;
  --exec-prefix)
    print_exec_prefix=yes
    ;;
  --libs)
    do_libs=yes
    ;;
  --cflags)
    do_cflags=yes
    ;;
  krb5)
    library=krb5
    ;;
  gssapi)
    library=gssapi
    ;;
  kadm-client)
    library=kadm-client
    ;;
  kadm-server)
    library=kadm-server
    ;;
  *)
    echo "unknown option: $i"
    exit 1
    ;;
  esac
done

if test "$do_usage" = "yes"; then
    echo "usage: $0 [options] [libraries]"
    echo "options: [--prefix[=dir]] [--exec-prefix[=dir]] [--libs] [--cflags]"
    echo "libraries: krb5 gssapi kadm-client kadm-server"
    exit $usage_exit
fi

if test "$prefix" = ""; then
  prefix=/usr
fi
if test "$exec_prefix" = ""; then
  exec_prefix=/usr
fi

libdir=/usr/lib
includedirs='/usr/include/gssapi /usr/include/krb5'

if test "$print_prefix" = "yes"; then
    echo $prefix
fi

if test "$print_exec_prefix" = "yes"; then
    echo $exec_prefix
fi

if test "$do_libs" = "yes"; then
    lib_flags="-L${libdir}"
    case $library in
    gssapi)
	lib_flags="$lib_flags -lgssapi"
	;;
    kadm-client)
	lib_flags="$lib_flags -lkadm5clnt"
	;;
    kadm-server)
	lib_flags="$lib_flags -lkadm5srv"
	;;
    esac
    lib_flags="$lib_flags -lkrb5 -lasn1 -ldes -lroken"
    lib_flags="$lib_flags -lcrypto -lcom_err"
    echo $lib_flags
fi
if test "$do_cflags" = "yes"; then
    for dir in $includedirs; do
        echo -n "-I$dir "
    done
fi

exit 0

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ktname.patch"

--- src/mod_auth_kerb.c.orig	2004-08-10 14:01:01.000000000 +0200
+++ src/mod_auth_kerb.c	2005-06-28 12:11:25.000000000 +0200
@@ -1120,6 +1120,10 @@
      }
      sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
      putenv(ktname);
+#ifdef HEIMDAL
+     /* Seems to be also supported by latest MIT */
+     gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+#endif
   }
 
   ret = get_gss_creds(r, conf, &server_creds);

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="makefile_rm.patch"

--- Makefile.in.orig	2004-07-05 22:47:42.000000000 +0200
+++ Makefile.in	2004-11-03 00:11:29.000000000 +0100
@@ -10,6 +10,8 @@
 LDFLAGS = $(KRB5_LDFLAGS) $(KRB4_LDFLAGS) $(LIB_resolv)
 CFLAGS =
 
+RM = rm -f
+
 all: src/mod_auth_kerb.so
 
 src/mod_auth_kerb.so: src/mod_auth_kerb.c $(SPNEGO_SRCS)
@@ -20,7 +22,7 @@
 
 clean:
 	for i in . src spnegokrb5; do \
-		$(RM) $$i/*.{o,so,a,la,lo,slo} core; \
+		$(RM) $$i/*.[oa] $$i/*.so $$i/*.l[ao] $$i/*.slo core; \
 	done
 
 distclean: clean

--2oS5YaxWCcQjTEyO--