netbsd-help: Re: mod_auth_kerb

Subject: Re: mod_auth_kerb
To: None <netbsd-help@netbsd.org>
From: Jukka Salmi <j+nbsd@2005.salmi.ch>
List: netbsd-help
Date: 06/28/2005 12:50:59 
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Thierry Lacoste --> netbsd-help (2005年06月28日 11:45:19 +0200):
> $ httpd -v
> Server version: Apache/1.3.33 (Unix)
> Server built: Jun 20 2005 22:26:06
[...]
> I downloaded mod_auth_kerb-5.0-rc6.tar.gz from 
> http://sourceforge.net/project/showfiles.php?group_id=51775
Same here.
> $ tar -xvzf mod_auth_kerb-5.0-rc6.tar.gz
> $ cd mod_auth_kerb-5.0-rc6
> $ ./configure
[...]
> checking for krb5_init_context in -lkrb5... yes
> checking whether we are using Heimdal... no
[...]
> Well the line 'checking whether we are using Heimdal... no'
> doesn't sound good.
Indeed.
> I tried to set --with-krb5 but I didn't find any satisfying value.
Reading the notes I wrote down when installing mod_auth_krb5, I see now that
I created a krb5-config script and put it to /usr/bin (some software expect
it to be there...). Unfortunately NetBSD doesn't ship with such a file by
default, but you can easily build it from src/crypto/dist/heimdal/tools. The
script I'm using is attached.
Additionally, because I store the webserver's principal in a separate keytab
file, I needed to apply a patch to mod_auth_kerb's src/mod_auth_kerb.c to
make httpd read the keytab defined by `Krb5Keytab' and not the system keytab.
This patch (and another patch to fix 'make clean') is attached as well.
After patching mod_auth_kerb-5.0-rc6 with the attached patches, running
	$ ./configure --prefix=/usr/local --without-krb4 \
		--with-krb5=/usr --with-apache=/usr/pkg
	$ make
	$ sudo make install
should work fine.
HTH, Jukka
-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=krb5-config
#!/bin/sh
# $Heimdal: krb5-config.in,v 1.9 2002年09月09日 22:29:06 joda Exp $
# $NetBSD: krb5-config.in,v 1.2 2002年09月12日 13:19:24 joda Exp $
do_libs=no
do_cflags=no
do_usage=no
print_prefix=no
print_exec_prefix=no
library=krb5
if test $# -eq 0; then
 do_usage=yes
 usage_exit=1
fi
for i in $*; do
 case $i in
 --help)
 do_usage=yes
 usage_exit=0
 ;;
 --version)
 echo "heimdal 0.6.1"
 echo '$Id: krb5-config.in,v 1.2 2002年09月12日 13:19:24 joda Exp $'
 exit 0
 ;;
 --prefix=*)
 prefix=`echo $i | sed 's/^--prefix=//'`
 ;;
 --prefix)
 print_prefix=yes
 ;;
 --exec-prefix=*)
 exec_prefix=`echo $i | sed 's/^--exec-prefix=//'`
 ;;
 --exec-prefix)
 print_exec_prefix=yes
 ;;
 --libs)
 do_libs=yes
 ;;
 --cflags)
 do_cflags=yes
 ;;
 krb5)
 library=krb5
 ;;
 gssapi)
 library=gssapi
 ;;
 kadm-client)
 library=kadm-client
 ;;
 kadm-server)
 library=kadm-server
 ;;
 *)
 echo "unknown option: $i"
 exit 1
 ;;
 esac
done
if test "$do_usage" = "yes"; then
 echo "usage: 0ドル [options] [libraries]"
 echo "options: [--prefix[=dir]] [--exec-prefix[=dir]] [--libs] [--cflags]"
 echo "libraries: krb5 gssapi kadm-client kadm-server"
 exit $usage_exit
fi
if test "$prefix" = ""; then
 prefix=/usr
fi
if test "$exec_prefix" = ""; then
 exec_prefix=/usr
fi
libdir=/usr/lib
includedirs='/usr/include/gssapi /usr/include/krb5'
if test "$print_prefix" = "yes"; then
 echo $prefix
fi
if test "$print_exec_prefix" = "yes"; then
 echo $exec_prefix
fi
if test "$do_libs" = "yes"; then
 lib_flags="-L${libdir}"
 case $library in
 gssapi)
	lib_flags="$lib_flags -lgssapi"
	;;
 kadm-client)
	lib_flags="$lib_flags -lkadm5clnt"
	;;
 kadm-server)
	lib_flags="$lib_flags -lkadm5srv"
	;;
 esac
 lib_flags="$lib_flags -lkrb5 -lasn1 -ldes -lroken"
 lib_flags="$lib_flags -lcrypto -lcom_err"
 echo $lib_flags
fi
if test "$do_cflags" = "yes"; then
 for dir in $includedirs; do
 echo -n "-I$dir "
 done
fi
exit 0
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="ktname.patch"
--- src/mod_auth_kerb.c.orig	2004年08月10日 14:01:01.000000000 +0200
+++ src/mod_auth_kerb.c	2005年06月28日 12:11:25.000000000 +0200
@@ -1120,6 +1120,10 @@
 }
 sprintf(ktname, "KRB5_KTNAME=%s", conf->krb_5_keytab);
 putenv(ktname);
+#ifdef HEIMDAL
+ /* Seems to be also supported by latest MIT */
+ gsskrb5_register_acceptor_identity(conf->krb_5_keytab);
+#endif
 }
 
 ret = get_gss_creds(r, conf, &server_creds);
--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="makefile_rm.patch"
--- Makefile.in.orig	2004年07月05日 22:47:42.000000000 +0200
+++ Makefile.in	2004年11月03日 00:11:29.000000000 +0100
@@ -10,6 +10,8 @@
 LDFLAGS = $(KRB5_LDFLAGS) $(KRB4_LDFLAGS) $(LIB_resolv)
 CFLAGS =
 
+RM = rm -f
+
 all: src/mod_auth_kerb.so
 
 src/mod_auth_kerb.so: src/mod_auth_kerb.c $(SPNEGO_SRCS)
@@ -20,7 +22,7 @@
 
 clean:
 	for i in . src spnegokrb5; do \
-		$(RM) $$i/*.{o,so,a,la,lo,slo} core; \
+		$(RM) $$i/*.[oa] $$i/*.so $$i/*.l[ao] $$i/*.slo core; \
 	done
 
 distclean: clean
--2oS5YaxWCcQjTEyO--

AltStyle によって変換されたページ (->オリジナル) /